Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch timestamp for dates where events are lesser than average event count?

Taruchit
Contributor
‎01-08-2024 04:27 AM

Hello All,

I need to fetch the dates in the past 7 days where events are lesser than average event count.

I used the below SPL: -

|tstats count where index=index_name sourcetype=xxx BY _time span=1d
|eventstats avg(count) AS avg_count

However, in scenario where on a particular day no events are ingested, the result skips those dates, that is does not return the dates with event count as zero.

For example: It skips showing the highlighted rows in the below table: -

_timecountavg_count
2024-01-010240
2024-01-02240240
2024-01-030240
2024-01-040240
2024-01-05240240
2024-01-06240240
2024-01-070240

 

And gives below as the result: -

_timecountevent_count
2024-01-02240240
2024-01-05240240
2024-01-06240240

 

Thus, need your guidance to resolve this problem.

Thanking you

Taruchit

Labels (3)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 05:10 AM

That's "by design". You only generate results for those days when you had results. That's how tstats works.

You need to use timechart along with tstats and use the prestats feature of tstats.

|tstats prestats=t count where index=index_name sourcetype=xxx BY _time span=1d
| timechart span=1d count

 

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 05:10 AM

That's "by design". You only generate results for those days when you had results. That's how tstats works.

You need to use timechart along with tstats and use the prestats feature of tstats.

|tstats prestats=t count where index=index_name sourcetype=xxx BY _time span=1d
| timechart span=1d count

 

Reply
Solved! Jump to solution

Taruchit
Contributor
‎01-08-2024 05:51 AM

Hello @PickleRick,

Thank you for your inputs. It helped to resolve the issue.

It would be very helpful if you could share how the use of prestats helped in this case so that its usage becomes more clear to understand.

Thank you

Taruchit

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 06:14 AM

prestats=t is an option which tells tstats to produce results in format apropriate for further processing (most typically by timechart). So the main thing here is the timechart command - it is responsible for creating the timeseries with "empty" days counted as 0.

Reply
Solved! Jump to solution

Taruchit
Contributor
‎01-08-2024 06:19 AM

Thank you for sharing your inputs.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top