Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return 0 when the search has no results in time chart

vrmandadi
Builder
‎08-23-2017 10:15 AM

I am trying to see how can we return 0 if no results are found using timechart for a span of 30minutes.i tried using fill null but its not working

index=abc  sourcetype=qwe HTTP_Code=502 |timechart span=30m count |fillnull value=0

but when I am using a stats command I get the count as 0.

index=abc  sourcetype=qwe HTTP_Code=502 |stats count

output
count-0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 11:13 AM

Try like this

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]

Updated

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time| mvexpand time | rename time as _time | timechart span=30m max(count) as count]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 11:13 AM

Try like this

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]

Updated

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time| mvexpand time | rename time as _time | timechart span=30m max(count) as count]
Reply
Solved! Jump to solution

vrmandadi
Builder
‎08-23-2017 12:03 PM

I tried this but the output gives you only one time, I am trying to break down into buckets of 30 minutes

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-23-2017 12:20 PM

Try the updated answer

0 Karma
Reply
Solved! Jump to solution

jackw_splunk
Splunk Employee
Splunk Employee
‎01-19-2020 08:31 PM

the update one is the one works for me !

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎08-23-2017 12:29 PM

That worked thank you very much you are always helpful

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎08-23-2017 11:01 AM

try using |makecontinuous span=30m _time |timechart span=30m count

https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Makecontinuous

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎08-23-2017 11:05 AM

No luck with that

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...