Splunk Search

Removing empty bins in timechart

Path Finder

Hello,

I am unable to eliminate empty buckets using the timechart command since moving to Splunk 7.0. For example in the below query I will see a gap for Tuesday and a continuous line from the Monday value to the Wednesday value. I'd like the chart (in this example) to not show Tuesday at all, just go from Monday to Wednesday. This used to work in older versions, so is there a modification needed to get this to work in Splunk 7.0+.

Thanks for any assistance.

index="_audit" | timechart cont=false count(date_wday) by date_wday | eval date_wday=lower(strftime(_time,"%A")) | where (date_wday!="tuesday") | fields - date_wday

0 Karma
1 Solution

SplunkTrust
SplunkTrust

If you use stats this will give you what you're looking for

index="_audit" 
| stats count(date_wday) by date_wday 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| fields - date_wday

View solution in original post

Esteemed Legend

You are looking at it the wrong way. Run for Last 7 days and check out the difference (note cont=) in the number of ROWS between this search:

index="_audit" 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| timechart span=1d cont=false count(date_wday) by date_wday

And this search:

index="_audit" 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| timechart span=1d cont=true count(date_wday) by date_wday

Path Finder

Thanks for answering, this still has the same issue that for me though.

0 Karma

Path Finder

Working with Splunk support, it appears that it is a bug. Thank you very much for taking the time to answer.

0 Karma

SplunkTrust
SplunkTrust

You are working too hard. timechart will already bin the days for you automatically, so it doesn't make sense for you to be binning the count up by date_wday.

Use this if you are only doing your count by day:

index="_audit" 
| timechart span=d count 
| where count>0

On the other hand, if you are doing your count by hour, and also want to eliminate days where there were no count at all, then you need something slightly more complex.

index="_audit" 
| timechart span=h count as mycount 
| bin _time span=1d as Day 
| eventstats sum(mycount) as Daycount by Day 
| where Daycount > 0 
| fields - Day Daycount

And if you just want to kill Tuesday July 17, 2018 , for no particular reason, then you could do this...

index="_audit" 
| timechart span=h count as mycount 
| where strftime(_time,"%Y-%m-%d") != "2018-07-24" 

Path Finder

Thanks for the answer, unfortunately I still see the day that I want to remove when I use this. No values show for the day, but the day is still present in the chart.

0 Karma

Path Finder

Thank you for answering. It turns out that it is a bug.

SplunkTrust
SplunkTrust

If you use stats this will give you what you're looking for

index="_audit" 
| stats count(date_wday) by date_wday 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| fields - date_wday

View solution in original post

SplunkTrust
SplunkTrust

@dtow1 did this help you?

0 Karma

Path Finder

Thank you for answering. It turns out that the issue is a bug in our environment.

Path Finder

Thank you for answering though and giving me other avenues to try.

0 Karma

Path Finder

Hi skoelpin,

Unfortunately it did not. I'm still playing around with it though and if the solution comes out of a modification of what you posted I will accept it as the answer and update it with whatever the total solution is.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!