Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch timestamp for dates where events are lesser than average event count?

Taruchit
Contributor
‎01-08-2024 04:27 AM

Hello All,

I need to fetch the dates in the past 7 days where events are lesser than average event count.

I used the below SPL: -

|tstats count where index=index_name sourcetype=xxx BY _time span=1d
|eventstats avg(count) AS avg_count

However, in scenario where on a particular day no events are ingested, the result skips those dates, that is does not return the dates with event count as zero.

For example: It skips showing the highlighted rows in the below table: -

_timecountavg_count
2024-01-010240
2024-01-02240240
2024-01-030240
2024-01-040240
2024-01-05240240
2024-01-06240240
2024-01-070240

 

And gives below as the result: -

_timecountevent_count
2024-01-02240240
2024-01-05240240
2024-01-06240240

 

Thus, need your guidance to resolve this problem.

Thanking you

Taruchit

Labels (3)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 05:10 AM

That's "by design". You only generate results for those days when you had results. That's how tstats works.

You need to use timechart along with tstats and use the prestats feature of tstats.

|tstats prestats=t count where index=index_name sourcetype=xxx BY _time span=1d
| timechart span=1d count

 

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 05:10 AM

That's "by design". You only generate results for those days when you had results. That's how tstats works.

You need to use timechart along with tstats and use the prestats feature of tstats.

|tstats prestats=t count where index=index_name sourcetype=xxx BY _time span=1d
| timechart span=1d count

 

Reply
Solved! Jump to solution

Taruchit
Contributor
‎01-08-2024 05:51 AM

Hello @PickleRick,

Thank you for your inputs. It helped to resolve the issue.

It would be very helpful if you could share how the use of prestats helped in this case so that its usage becomes more clear to understand.

Thank you

Taruchit

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 06:14 AM

prestats=t is an option which tells tstats to produce results in format apropriate for further processing (most typically by timechart). So the main thing here is the timechart command - it is responsible for creating the timeseries with "empty" days counted as 0.

Reply
Solved! Jump to solution

Taruchit
Contributor
‎01-08-2024 06:19 AM

Thank you for sharing your inputs.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...