How show 0 when not result

Luninho · ‎10-29-2020

I need show any value in every minute, but I only get value > 0
Search:
| tstats count WHERE index=XXXXX C_TXN_A IN (1,2) C_TXN_B IN (1)
((C_TXN_C IN (1,2,3,5) AND C_TXN_D IN (5,6)) OR (NOT C_TXN_C IN (4,6) AND C_TXN_D IN (7,8)))
by _time span=1m
| sort _time

After that, I get:
2020-10-29 10:45:00 47
2020-10-29 10:40:00 12

But I want to get:
2020-10-29 10:45:00 47
2020-10-29 10:44:00 0
2020-10-29 10:43:00 0
2020-10-29 10:42:00 0
2020-10-29 10:41:00 0
2020-10-29 10:45:00 12

How to do it?

richgalloway · ‎10-29-2020

The timechart command will do that.

| tstats prestats=t count WHERE index=XXXXX C_TXN_A IN (1,2) C_TXN_B IN (1)
((C_TXN_C IN (1,2,3,5) AND C_TXN_D IN (5,6)) OR (NOT C_TXN_C IN (4,6) AND C_TXN_D IN (7,8)))
by _time span=1m 
| timechart span=1m count

---
If this reply helps you, Karma would be appreciated.

Luninho · ‎10-29-2020

You helped me however I improved your idea:
|timechart span=1m sum(count)
|fillnull

How show 0 when not result

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

How show 0 when not result

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability