Solved: Re: How do I fill values in a timechart for a non ...

avisriv · ‎09-28-2018

How do I fill values in a timechart for a non existing event? Suppose that the event is received at 5:00AM. Then, I would want to fill data of this 5:00AM to the timechart before 5:00AM? filldown is working to fill after 5:00AM, but not before 5:00AM.

source="something_source" topic="something_topic" earliest = "-1d" client="cpu1305" 
| timechart span=1m latest(msg) as Valuess
| filldown 
| fillnull value=latest(msg) Valuess

Sukisen1981 · ‎09-28-2018

Something like this ?

 | timechart span=5m latest(action) as Valuess
 | filldown 
 |eventstats first(Valuess) as v | fillnull value=0 Valuess | eval Valuess=if(Valuess=0,v,Valuess) | fields - v

View solution in original post

Sukisen1981 · ‎09-28-2018

Something like this ?

 | timechart span=5m latest(action) as Valuess
 | filldown 
 |eventstats first(Valuess) as v | fillnull value=0 Valuess | eval Valuess=if(Valuess=0,v,Valuess) | fields - v

avisriv · ‎10-01-2018

Hi! Thanks for the answer. Only one problem is that the values that are being filled before 5:00 AM is the latest value, but i need to fill it with the first received event, not the last received event.
i tried using 'first' in-place of 'last', but it doesn't work

avisriv · ‎10-01-2018

no worries, i just found a solution. just moved the eventstats before fillnull and replaced 'last' with 'first'.

How do I fill values in a timechart for a non existing event?

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?