Solved: Re: Removing empty bins in timechart

dtow1 · ‎07-18-2018

Hello,

I am unable to eliminate empty buckets using the timechart command since moving to Splunk 7.0. For example in the below query I will see a gap for Tuesday and a continuous line from the Monday value to the Wednesday value. I'd like the chart (in this example) to not show Tuesday at all, just go from Monday to Wednesday. This used to work in older versions, so is there a modification needed to get this to work in Splunk 7.0+.

Thanks for any assistance.

index="_audit" | timechart cont=false count(date_wday) by date_wday | eval date_wday=lower(strftime(_time,"%A")) | where (date_wday!="tuesday") | fields - date_wday

skoelpin · ‎07-18-2018

If you use stats this will give you what you're looking for

index="_audit" 
| stats count(date_wday) by date_wday 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| fields - date_wday

View solution in original post

woodcock · ‎07-24-2018

You are looking at it the wrong way. Run for Last 7 days and check out the difference (note cont=) in the number of ROWS between this search:

index="_audit" 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| timechart span=1d cont=false count(date_wday) by date_wday

And this search:

index="_audit" 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| timechart span=1d cont=true count(date_wday) by date_wday

dtow1 · ‎07-27-2018

Thanks for answering, this still has the same issue that for me though.

dtow1 · ‎08-07-2018

Working with Splunk support, it appears that it is a bug. Thank you very much for taking the time to answer.

DalJeanis · ‎07-24-2018

You are working too hard. timechart will already bin the days for you automatically, so it doesn't make sense for you to be binning the count up by date_wday.

Use this if you are only doing your count by day:

index="_audit" 
| timechart span=d count 
| where count>0

On the other hand, if you are doing your count by hour, and also want to eliminate days where there were no count at all, then you need something slightly more complex.

index="_audit" 
| timechart span=h count as mycount 
| bin _time span=1d as Day 
| eventstats sum(mycount) as Daycount by Day 
| where Daycount > 0 
| fields - Day Daycount

And if you just want to kill Tuesday July 17, 2018 , for no particular reason, then you could do this...

index="_audit" 
| timechart span=h count as mycount 
| where strftime(_time,"%Y-%m-%d") != "2018-07-24"

dtow1 · ‎07-27-2018

Thanks for the answer, unfortunately I still see the day that I want to remove when I use this. No values show for the day, but the day is still present in the chart.

dtow1 · ‎08-07-2018

Thank you for answering. It turns out that it is a bug.

skoelpin · ‎07-18-2018

If you use stats this will give you what you're looking for

index="_audit" 
| stats count(date_wday) by date_wday 
| eval date_wday=lower(strftime(_time,"%A")) 
| where (date_wday!="tuesday") 
| fields - date_wday

skoelpin · ‎07-24-2018

@dtow1 did this help you?

dtow1 · ‎08-07-2018

Thank you for answering. It turns out that the issue is a bug in our environment.

dtow1 · ‎07-24-2018

Thank you for answering though and giving me other avenues to try.

dtow1 · ‎07-24-2018

Hi skoelpin,

Unfortunately it did not. I'm still playing around with it though and if the solution comes out of a modification of what you posted I will accept it as the answer and update it with whatever the total solution is.

Removing empty bins in timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?