Solved: Re: How to get timechart value even if splunk cont...

clementros · ‎04-23-2019

Hi,

I'm tryin to get the number of alerts by day.

When i have alerts i see the number in statistics. But when i don't received errors in a day. i don't see the _time value of this day.

For example we are the 2019-04-23. My last alert was the 2019-04-17. I want to see :

_time                            count
2019-04-17                  9
2019-04-18                  0
2019-04-19                  0
2019-04-20                  0
2019-04-21                  0
2019-04-22                  0
2019-04-23                  0

clementros · ‎04-23-2019

The following search works for me :

index=main earliest="01/01/2019:00:00:00"| ... | append [| streamstats count | eval count=0] | timechart span=1d count

View solution in original post

clementros · ‎04-23-2019

The following search works for me :

index=main earliest="01/01/2019:00:00:00"| ... | append [| streamstats count | eval count=0] | timechart span=1d count

woodcock · ‎04-23-2019

If you use timechart, by default, it creates empty buckets. Many other commands have a makecontinuous=true argument to do the same thing. We cannot help better because you did not give us your search SPL.

How to get timechart value even if splunk contain no data for this "_time" field ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation