Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show a timechart of all hosts even if 0 values exist

Lgo
Explorer
‎08-16-2017 06:14 PM

I'm attempting to write a query to show a timechart of the number of results for each host per minute, which is easy enough using the following query

index=index basesearch | timechart count by host span=1m

It returns exactly what I'm after, except if there are 0 results in the base search for a specific host it doesn't include a column for it.

If there are results for two hosts but not the 3rd I want it to return the following
--------------Host 1 Host 2 Host 3
Minute1 ------2---------1-----------0
Minute2 ------3---------0-----------0
Minute3 ------2---------6-----------0

The number of hosts will always be the same so if needed can be specified somehow in the search

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-17-2017 11:35 AM

Try like this (since host names are fixed)

index=index basesearch | timechart count by host span=1m | table _time Host1 Host2 Host3 | fillnull value=0

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-17-2017 11:35 AM

Try like this (since host names are fixed)

index=index basesearch | timechart count by host span=1m | table _time Host1 Host2 Host3 | fillnull value=0
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-16-2017 09:54 PM

There may be more efficient search sentences・・・

| tstats count where index=index  by host
| map maxsearches=10000 search="search index=index basesearch  host=$host$
      | timechart span=1m count
      | eval host=\"$host$\""
| timechart span=1m sum(count) as count by host

Replace tstats with the LOOKUP file if possible
|inputlookuo XXXX|table host

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...