Splunk Search

Show count 0 on tstats with index name for multiple indexes

mkarimi17
Path Finder

I have a search:

| tstats count WHERE earliest=-2d@-3h latest=now index=* by index, _time | makecontinuous span=1h _time | eval count=if(isnull(count),0,count)

where the count is shown as 0 if there is no data, however I get an empty field for the index at that specific time. How can I search for every hour and every index and if index Y does not have any count to show:

index _time &nbsp count
Y 2017-09-03 00:00 0

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

| tstats count WHERE earliest=-2d@-3h latest=now index=* by index, _time span=1h | timechart sum(count) as count by index limit=0 | fillnull value=0 | untable _time index count

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

| tstats count WHERE earliest=-2d@-3h latest=now index=* by index, _time span=1h | timechart sum(count) as count by index limit=0 | fillnull value=0 | untable _time index count

mkarimi17
Path Finder

thanks! that actually works but any idea why if I go back more than 4 days I lose the hour portion of the _time?

| tstats count WHERE earliest=-5d@-3h latest=now index=* by index, _time span=1h | timechart sum(count) as count by index limit=0 | fillnull value=0 | untable _time index count

when I do that, time only shows the dates. Realistically I am going back -30 days

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My bad. I didn't set the span in timechart command so it was doing auto span based on number of points (which will be higher with longer timerange), try this version

| tstats count WHERE earliest=-5d@-3h latest=now index=* by index, _time span=1h | timechart span=1h sum(count) as count by index limit=0 | fillnull value=0 | untable _time index count

mkarimi17
Path Finder

Perfect! thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...