Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How to display bucket/histogram data with zero count?

jbp4444
Path Finder
‎06-15-2010 01:09 PM

I'm trying to run a bucket/histogram of data but I want to display buckets that have zero count. By default, bucket seems to hide those entries.

Quick example -- histogram of CPU-load on a group of machines. Each machine logs cpu-load as 'x' every 15min, I pick the latest entry for each host and bucket that data:

(search command) |stats first(x) as ff by host |bucket ff bins=10 start=0 end=10 |chart count(ff) over ff

Is there a way to tell bucket (or chart) that it should display all bins, even if they are zero-count?

Tags (1)
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: How to display bucket/histogram data with zero count?

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2010 01:24 PM

You should probably just not invoke bucket at all, and just use chart count(ff) over ff bins=10, or use makecontinuous instead of bucket.

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: How to display bucket/histogram data with zero count?

jbp4444
Path Finder
‎06-15-2010 02:55 PM

That works exactly how I wanted it -- thanks!

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: How to display bucket/histogram data with zero count?

helge
Builder
‎02-24-2017 03:07 PM

Thanks for making me aware of the makecontinuous command

0 Karma
Reply