Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return 0 when the search has no results in time chart

vrmandadi
Builder
‎08-23-2017 10:15 AM

I am trying to see how can we return 0 if no results are found using timechart for a span of 30minutes.i tried using fill null but its not working

index=abc  sourcetype=qwe HTTP_Code=502 |timechart span=30m count |fillnull value=0

but when I am using a stats command I get the count as 0.

index=abc  sourcetype=qwe HTTP_Code=502 |stats count

output
count-0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 11:13 AM

Try like this

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]

Updated

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time| mvexpand time | rename time as _time | timechart span=30m max(count) as count]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 11:13 AM

Try like this

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval _time=info_min_time | table _time count]

Updated

index=abc sourcetype=qwe HTTP_Code=502 |timechart span=30m count | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | table time count | makemv time| mvexpand time | rename time as _time | timechart span=30m max(count) as count]
Reply
Solved! Jump to solution

vrmandadi
Builder
‎08-23-2017 12:03 PM

I tried this but the output gives you only one time, I am trying to break down into buckets of 30 minutes

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-23-2017 12:20 PM

Try the updated answer

0 Karma
Reply
Solved! Jump to solution

jackw_splunk
Splunk Employee
Splunk Employee
‎01-19-2020 08:31 PM

the update one is the one works for me !

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎08-23-2017 12:29 PM

That worked thank you very much you are always helpful

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎08-23-2017 11:01 AM

try using |makecontinuous span=30m _time |timechart span=30m count

https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Makecontinuous

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎08-23-2017 11:05 AM

No luck with that

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...