Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to autofill rows in a table, even if there are no values produced by streamstats?

dimoklis
Explorer
‎01-11-2016 06:25 AM

Hello,

I have an output table like below from a streamstats call on my events:

period    total   cummulative_total
1             14           14
3             15           29
4              5           34
6             10           44

where periods are time spans of 2h and total and cumulative total are sums from stats and streamstats respectively.

What I would like to ask is whether there is a way to autocomplete data rows for a full set of periods. in the example above periods 2 , 5 ,7....12 are missing as you see. I would like to end up with a table like below:

period    total   cummulative_total
 1             14           14
 2              0           14
 3             15           29
 4              5           34
 5              0           34
 6             10           44
 .              .           .
 .              .           .

so period 2 and 5 as for example take totals as 0, but keep cumulative ones from previous period stats.

Many thanks in advance,
Dimoklis.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-12-2016 09:35 AM

Try something like this

your base search | timechart span=2h sum(quantity) as total by id | untable _time id total | streamstats sum(total) as cumulative_total by id| eval period=strftime(_time,"%H")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-12-2016 09:35 AM

Try something like this

your base search | timechart span=2h sum(quantity) as total by id | untable _time id total | streamstats sum(total) as cumulative_total by id| eval period=strftime(_time,"%H")
Reply
Solved! Jump to solution

dimoklis
Explorer
‎01-13-2016 02:25 AM

Thanks somesoni2, found it yesterday using the same logic as you suggested!

Reply
Solved! Jump to solution

lguinn2
Legend
‎01-11-2016 10:32 PM

Can you post your search?

0 Karma
Reply
Solved! Jump to solution

dimoklis
Explorer
‎01-12-2016 08:43 AM

hi and thanks @Iguinn, please see below:

...|bucket _time span=2h |stats sum(quantity) as total by id, _time | streamstats sum(total) as cumulative_total by id| eval period=strftime(_time,"%H")

PS. Ihave tried with timechart which can automatically fill the gaps in time and values but my data gets transposed. I need to maintain the table layout as per the example if possible

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎01-11-2016 07:19 AM

Is total number of periods a constant?

0 Karma
Reply
Solved! Jump to solution

dimoklis
Explorer
‎01-11-2016 07:33 AM

hi sundareshr, yes it is. these are 2h time spans within a day string from 00,02,04,...22 (12 total)

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎01-11-2016 07:40 AM

Have you tried using the timechart command

| timechart span=2h count as total | streamstats sum(total) as cummulative_total

Look at the fixedrange usenull and cont options for this command

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...