Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to identify periods with no events in historical data?

evelenke
Contributor
‎08-31-2016 05:49 PM

Hi, Splunkers!

I have log where some different events (event A, event B, event C...) are expected to be generated periodically .
Now I want to calculate number of appearances of each event per_hour and identify, what of events did not appear in this particular time chunks and create report.
Like this:

time                   event      count
2016-08-31 22:00;00    event_A    0
2016-08-31 22:00;00    event_B    1
2016-08-31 22:00;00    event_C    3
2016-08-31 23:00;00    event_A    2
...

What I've tried:
1. | bucket _time span=1h | stats count by event _time | sort event by _time
This do not return zero values of count (e.g. time: "2016-08-31 22:00:00" event: "event_A" count: 0)
2. chart or timechart span=1h count by event helps only to visually identify my zero points, but I need an inline table view,
3. stats latest(_time) by event | eval diff=now()-latest ... not an option as this is required for historical data.

Do I miss something? How can I get result alike presented above?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-31-2016 06:18 PM

Try this

... | timechart span=1h cont=t count by event | untable _time event count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-31-2016 06:18 PM

Try this

... | timechart span=1h cont=t count by event | untable _time event count
0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎09-01-2016 03:42 AM

This is it, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...