Splunk Search

Results for each minute in an hour (even if there's no data)

patilsh
Explorer

Hello All,

Suppose I want a search results for past 60minutes, how spunk works now is if there is any event in past 60mins then that is displayed.

But what i want is Suppose time is 4pm and I give past 60mins, Splunk should start the data from 4:00, 4:01...... and so on till 5:00 irrespective of data is present or not, if data is not present then the result should give time with corresponding columns blank.

Can someone please help mw on this.

Tags (1)
0 Karma

DalJeanis
Legend

That depends on what you mean by "corresponding columns".

If you have very sparse events, and are wanting to show the details for the events when they are present, but show blank lines with the _time if they are not, then you can do this...

your search
| fields field1 field2 field3 field4
| append 
    [|makeresults 
     | addinfo 
     | eval mystart=relative_time(info_min_time,"@m")
     | eval myend=relative_time(info_max_time,"@m+61s")
     | eval mytimes=mvrange(mystart,myend,60)
     | table mytimes
     | mvexpand mytimes
     | rename mytimes as _time
     ]
| table _time field1 field2 field3 field4
| fillnulls value=""
| stats max(*) as * by _time

Some of that is unnecessary if you are using a stats command already,though.

your search
| fields foo bar
| bin _time span=1m
| stats count as mycount avg(foo) as avgfoo sum(bar) as sumbar by _time 
| append
    [|makeresults 
     | addinfo 
     | eval mystart=relative_time(info_min_time,"@m")
     | eval myend=relative_time(info_max_time,"@m+61s")
     | eval mytimes=mvrange(mystart,myend,60)
     | table mytimes
     | mvexpand mytimes
     | rename mytimes as _time
     | eval mycount = 0 
     ]
| stats sum(mycount) as count max(avgfoo) as avgfoo max(sumbar) as sumbar by _time
0 Karma

patilsh
Explorer

Hey,

can you please tell me what is info_min_time and info_max_time?

0 Karma

woodcock
Esteemed Legend

Just add this:

| timechart span=1m count

patilsh
Explorer

time chart gives continuous value after the first entry is found:

For example is say present time is 9pm and I want 60minutes ago data, i.e data from 8pm

But if the first entry is 8:10pm , timechart will give all the values from 8:10 till 9pm irrespective of data is present or not, but I also want blank entries from 8:00 to 8:10 pm as well

0 Karma

mtranchita
Communicator

If I follow the desired outcome he would need to include usenull
so something like:
| timechart usenull=1 span=1m count

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If it's 4pm and you say 'past 60mins', Splunk will return data from 3pm-4pm. Not sure I understand what you are trying to do.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @patilsh, The comments on this post show each count by minute and then a second comment explains how to show the minutes without values
https://answers.splunk.com/answers/227568/how-to-edit-my-search-to-return-one-count-for-each.html

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...