Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fill the gaps from days with no data in tstats + timechart query?

Neel881
Path Finder
‎09-19-2023 07:13 AM

Hello,

How to fill the gaps from days with no data in tstats + timechart query?

Query:

| tstats count as Total where index="abc"  by _time, Type span=1d

Getting:

Neel881_0-1695132638207.png

Required:

Neel881_1-1695132682156.png

 

Please suggest

 

Thank You

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 08:17 AM

Try something like this

| tstats count as Total where index="abc"  by _time, Type span=1d
| timechart span=1d max(Total) as Total by Type
| untable _time Type Total

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2023 09:54 AM

Try this.  The timechart command should fill in empty time slots automatically.

| tstats prestats=true count as Total where index="abc"  by _time, Type span=1d
| timechart span=1d cont=true count as Total by Type

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Neel881
Path Finder
‎09-19-2023 09:08 AM

Same output

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 09:26 AM

Try with fillnull

| tstats count as Total where index="abc"  by _time, Type span=1d
| timechart span=1d max(Total) as Total by Type
| fillnull value=0
| untable _time Type Total
Reply
Solved! Jump to solution

Neel881
Path Finder
‎09-20-2023 02:22 AM

Fillnull works properly in my case. Thank you!

 

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 08:17 AM

Try something like this

| tstats count as Total where index="abc"  by _time, Type span=1d
| timechart span=1d max(Total) as Total by Type
| untable _time Type Total
Reply
Solved! Jump to solution

Neel881
Path Finder
‎09-20-2023 02:12 AM

Thank you, Now I am getting correct output but Phase data is missing.

| tstats count as Total where index="abc"  by _time, Type, Phase span=1d
| timechart span=1d max(Total) as Total by Type
| untable _time Type Total

 Phase field is missing in the final table.

I tried to add 'Phase' field in the untable but showing error.

 

Pls suggest

0 Karma
Reply
Solved! Jump to solution

Neel881
Path Finder
‎09-20-2023 02:21 AM

Got the solution. Thank you so much.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...