How to display 0 in a timechart table?

jip31 · ‎03-11-2022

hello

I count results by _time in a table panel like this and it works perfectly

When the results is 0 the result is displayed only once there is a result on the bin _time after

For example, if at 7h, the result is = 0 but at 8h the result is = 1, the results for 7h and 8h are correctly displayed

But as long as the result is 0, nothing is displayed

index=toto 
| bin span=1h _time  
| stats count as Pb by s _time 
| search Pb >= 3 
| timechart dc(s) as s span=1h 
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(s) as nbs by time 
| rename time as Heure

so I tried this for displaying results = 0 but it doesnt works

could you help please?

| eval nbs =if(isnull(nbs, 0, nbs)

somesoni2 · ‎03-15-2022

Give this a try

index=toto 
| bin span=1h _time  
| stats count as Pb by s _time 
| search Pb >= 3 
| timechart dc(s) as s span=1h 
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(s) as nbs by time 
| rename time as Heure
| appendpipe [| stats count | where count=0  | eval t=mvrange(0, 24,1) | table t | mvexpand t | eval Heure=substr("0".t,-2) | fields - t| eval nbs=0]

jip31 · ‎03-15-2022

it's a little better it misses 2 things

1) the "Heure" format is not good because I need a display in hour minutes (07:00 instead 07)

2) I just need to display result=0 for the Heure corresponding to the system time (if the system time is 07:00 I need to display 0 only fo 7:00 and not 8:00)

thanks

jip31 · ‎03-14-2022

Is anybody can help please?

somesoni2 · ‎03-11-2022

Give this a try

index=toto 
| bin span=1h _time  
| stats count as Pb by s _time 
| search Pb >= 3 
| timechart dc(s) as nbs span=1h 
| eval Heure = strftime(_time, "%H:%M") 
| table Heure nbs | fillnull value=0

jip31 · ‎03-13-2022

hi

sorry but any results are displayed

PickleRick · ‎03-11-2022

You're doing some strange things here 🙂

Firstly, if you're binning to a full hour, why strftime with minutes? 🙂

Secondly, I'm not sure what you're trying to achieve. Especially with that _time condition - it should be part of the base search.

Can you be a bit more specific what is the goal of this search?

jip31 · ‎03-11-2022

Hi

Because I need to display minutes after hour...

Like I said, O is displayed in my table only when there is events on a previous time or an anterior time

for example if at 7h00 there is no event I must wait to have events at 8h00 for having a result = 0 at 7h

Or to have events at 6h00 for having a result = 0 at 7h00

So I am looking for a solution in order to be able to display a result = 0 without wainting a time span with events > 0

PickleRick · ‎03-11-2022

OK, you could have just put a static ":00" since your timestamps are aligned to full hour but this way it will also work 🙂

And about my question what you're trying to do I meant what you're trying to get from your search as a whole. Not what particular technical obstacle you're trying to overcome but what is the "high-level" goal of this search. I mean - what type of report you want to get at the end. What is it supposed to show?

jip31 · ‎03-11-2022

Like this it's almost working except I ave no time displayed

| appendpipe 
    [ stats count as _events 
    | where _events = 0 
    | eval nbs = 0 ]

jip31 · ‎03-11-2022

here is what I display

following this example, what I try to explain is that when the nbs field result is 0 I need that the posterior field has a result value in order to display the anterior field which is equal to 0

Imagine that all fields will be equal to 0, it means that there will be any value in my table, just the message "any results"

How to display 0 in a timechart table?

other

timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?