Solved: Re: How to get timechart value even if splunk cont...

clementros · ‎04-23-2019

Hi,

I'm tryin to get the number of alerts by day.

When i have alerts i see the number in statistics. But when i don't received errors in a day. i don't see the _time value of this day.

For example we are the 2019-04-23. My last alert was the 2019-04-17. I want to see :

_time                            count
2019-04-17                  9
2019-04-18                  0
2019-04-19                  0
2019-04-20                  0
2019-04-21                  0
2019-04-22                  0
2019-04-23                  0

clementros · ‎04-23-2019

The following search works for me :

index=main earliest="01/01/2019:00:00:00"| ... | append [| streamstats count | eval count=0] | timechart span=1d count

View solution in original post

clementros · ‎04-23-2019

The following search works for me :

index=main earliest="01/01/2019:00:00:00"| ... | append [| streamstats count | eval count=0] | timechart span=1d count

woodcock · ‎04-23-2019

If you use timechart, by default, it creates empty buckets. Many other commands have a makecontinuous=true argument to do the same thing. We cannot help better because you did not give us your search SPL.

How to get timechart value even if splunk contain no data for this "_time" field ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?