Splunk Search

How to fill the gaps from days with no data in tstats + timechart query?

mciudad
Explorer

Hello,

I'm trying to get the statistics of the bytes transferred each day with a query like this:

 | tstats prestats=t  sum(bytes) from datamodel=DM earliest=-7d@d latest=@d by _time span=1d | timechart span=1d sum(bytes) as "Bytes"

And the results are something like this, skipping the days with no data:

_time        Bytes
2015-06-16  5509565371
2015-06-17  15556005605
2015-06-18  15556685676
2015-06-19  9722873606 

What I need is to fill the days with no data with 0s, something like this:

_time        Bytes
2015-06-15  0
2015-06-16  5509565371
2015-06-17  15556005605
2015-06-18  15556685676
2015-06-19  9722873606
2015-06-20  0
2015-06-21  0 

How could I make that possible without lowering the performance?

Tags (4)
0 Karma
1 Solution

woodcock
Esteemed Legend

It should already be doing that (that is what it does) but just in case try adding cont=t. In either case, DEFINITELY open a support ticket to report this bug.

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Timechart

View solution in original post

jiaqya
Builder

I see it was answered to be done using timechart, but how to do the same with tstats.
tstats does not show a record for dates with missing data...

the fillnull_value option also does not work on 726 version.

0 Karma

woodcock
Esteemed Legend

It should already be doing that (that is what it does) but just in case try adding cont=t. In either case, DEFINITELY open a support ticket to report this bug.

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Timechart

mciudad
Explorer

Thank you, you were right!

What if there is no data in any day? In that case it returns "No results found. " but it should return just 0 bytes per day.

0 Karma

woodcock
Esteemed Legend

According to the dox and every usage I have ever tried, timechart will fill in any empty span slots with 0-values, as long as cont=t (which is the default).

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...