Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart drops empty results - causes trouble with predict

Olli1919
Path Finder
‎05-19-2014 06:27 AM

Hi,

I am doing a prediction with a "timechart count" as base search, which works fine:

index=logins username | timechart span=1d count | predict count

But when the base search has leading "zero event count" days, timechart cuts off these days. This happens whether fillnull is used or not. This now causes a problem with predict, as predict requires a minimum of two data points: Predict gives its first results for the third day, but it should also report the change on day one and two.

Is there a way to make timechart keep the empty leading results?

Thanks,
Oliver

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎05-19-2014 03:24 PM

Use fillnull (from http://answers.splunk.com/answers/106774😞

index=logins username | fillnull value=NoValue | timechart span=1d count | predict count

View solution in original post

Reply
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎05-19-2014 03:24 PM

Use fillnull (from http://answers.splunk.com/answers/106774😞

index=logins username | fillnull value=NoValue | timechart span=1d count | predict count
Reply
Solved! Jump to solution

Olli1919
Path Finder
‎05-19-2014 11:49 PM

This works, thank you - I thought I had tried it 🙂

0 Karma
Reply
Solved! Jump to solution

Olli1919
Path Finder
‎05-19-2014 06:40 AM

I found this, but isn't there an easier solution? The Splunk GUI also displays the right results just before they get chopped off in the page refresh an instant later 😉

http://answers.splunk.com/answers/118496/fill-in-0-for-timechart-with-missing-values

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...