How to get the 0 data rows using tstats query?

Vani_26 · ‎05-30-2023

Original query:

index=app-data  sourcetype=clientapp-code
|rex field=_raw "\Status\:(?<Code>.*?)\|"
|eval Failed=if(Code!=0, "Failed", null())
|bucket _time span=1d
|stats count(Failed) as Fail by _time

OUTPUT:

_time	Fail
2022-01-22	6
2022-01-23	0
2022-01-24	8
2022-01-25	0
2022-01-26	0
2022-01-27	12
2022-01-28	0
2022-01-29	0

tstats query:

|tstats count where  index=app-data  sourcetype=clientapp-code by PREFIX(status:) _time span=1d
|rename status: as Code
|eval Failed=if(Code!=0, "Failed", null())
|where Code!=0
|stats values(count) by _time

OUTPUT:

_time	Fail
2022-01-22	6
2022-01-24	8
2022-01-27	12

I want to see original query output with tstats query but 0 data rows are not showing up in tstats command.
How can i get the 0 data rows using tstats query???

isoutamo · ‎06-06-2023

Hi

have you try this makecontinuous?

r. Ismo

VatsalJagani · ‎06-05-2023

@Vani_26 - You forget to do | bucket in your second query.

Try adding either bucket or bin command before stats, similar to your first query.

OR alternatively, you can use timechart command instead of the stats command.

| timechart span=1d sum(count) as Fail

I hope this helps!!!

How to get the 0 data rows using tstats query?

tstats

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?

How to get the 0 data rows using tstats query?

tstats

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement