Splunk Search

How include empty buckets in the start and end of timechart/bin output?

New Member

I have a scenario here.

I have data in my local Splunk for time range from 6-Nov-2015 11:45 UTC to 10-Nov-2015 13:45 UTC. I need to get the data count in buckets based on time span of 15 minutes. If I try to search data from 6-Nov-2015 10:30 UTC to 10-Nov-2015 15:30 UTC using timechart, I am getting empty buckets in between the data, but losing the empty buckets at the start/end. And I am getting buckets from 6-Nov-2015 11:45 UTC to 10-Nov-2015 13:45 UTC. Can anyone suggest how to get the empty buckets at the start/end?

My Splunk search is:

(index=my_index msecBefore>=1446805800000 msecBefore<=1447169400000 label="testLabel") | timechart cont=true span=15m count(eval( msecElapsed<72000000)) as Satisfied

Any help would be appreciated.

Regards,
Suresh

0 Karma

SplunkTrust
SplunkTrust

Add in dummy records for start and end that won't affect the result. i.e, that have msecElapsed greater than your satisfied number. Do this immediately before your timechart command.

| append 
   [|makeresults | eval  msecElapsed=72000001 
    | eval MyFlag=mvappend("DummyStart","DummyEnd") 
    | mvexpand MyFlag ] 
| addinfo 
| eval _time=case(isnull(MyFlag),_time,MyFlag=="DummyStart",info_min_time,MyFlag=="DummyEnd",info_max_time)

The addinfo command has to be outside the brackets, so it pulls its infomintime and infomaxtime from the outside search time range.

Engager

Thank you DalJeanis! While this is very much work, for such a simple outcome, it does work!

0 Karma

SplunkTrust
SplunkTrust

Agreed. It would seem that you should be able to use a combination of the bin start/end options and the continuous flag, but (as I understand it) there are some finnicky things about the order of the bin options and how much option information splunk thinks is enough... and more than that is not allowed.

0 Karma

Engager

Hello Suresh,

Did you find a solution for this? I am having the same problem.

Thanks
Sean

0 Karma

Engager

Thanks lquinn, but that didn't work.

This is my search

snedgeencryption (host="XXXXXXX") OR (host="XXXXX") proxy NOT EdgeEncryptionProcessor | timechart span=30s count fixedrange=true

My search window is

34 events (2/8/17 10:20:00.000 AM to 2/8/17 11:36:00.000

But when I go to the visualization tab the chart that comes up starts at my first search result which is 1031. I want the chart on the visualization tab to be the same time range as my search window above.

0 Karma

Legend

You don't need to cont=true in the timechart command. I think that fixedrange=true is the default, but you might add it to be sure...

0 Karma