Splunk Search

Show a timechart of all hosts even if 0 values exist

Lgo
Explorer

I'm attempting to write a query to show a timechart of the number of results for each host per minute, which is easy enough using the following query

index=index basesearch | timechart count by host span=1m

It returns exactly what I'm after, except if there are 0 results in the base search for a specific host it doesn't include a column for it.

If there are results for two hosts but not the 3rd I want it to return the following
--------------Host 1 Host 2 Host 3
Minute1 ------2---------1-----------0
Minute2 ------3---------0-----------0
Minute3 ------2---------6-----------0

The number of hosts will always be the same so if needed can be specified somehow in the search

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this (since host names are fixed)

index=index basesearch | timechart count by host span=1m | table _time Host1 Host2 Host3 | fillnull value=0

View solution in original post

somesoni2
Revered Legend

Try like this (since host names are fixed)

index=index basesearch | timechart count by host span=1m | table _time Host1 Host2 Host3 | fillnull value=0

HiroshiSatoh
Champion

There may be more efficient search sentences・・・

| tstats count where index=index  by host
| map maxsearches=10000 search="search index=index basesearch  host=$host$
      | timechart span=1m count
      | eval host=\"$host$\""
| timechart span=1m sum(count) as count by host

Replace tstats with the LOOKUP file if possible
|inputlookuo XXXX|table host

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...