Splunk Search

Show hourly count as zero if no data found for all indexes

mkarimi17
Path Finder

I have a search:

| tstats count WHERE earliest=-2d@d latest=now index=* by index, _time | makecontinuous span=1h _time | fillnull value=0 count

If I search it by all indexes "*", no empty fields are shown.

If I search by a specific index that I know in fact is missing items, I get 0 for the count, and no index listed in the table.

0 Karma

mhouse3
Path Finder

How about this
| tstats count where index=* by _time span=1h | timechart span=1h max(count) as count | fillnull value=0 count

timechart by default (unless you specify fixedrange=f) creates a row for each time bucket from the beginning of the search period until the end of the search period. So, the timechart creates all the necessary rows, and then fillnull puts a 0 in all empty row.

0 Karma

mkarimi17
Path Finder

that doesn't really do it by index though. I tried using timechart before but couldn't get it to specify by index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...