Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart filldown

perrinj2
Path Finder
‎09-23-2020 07:49 PM

 

I have a dashboard search which ends with a timechart like this

 

| eval VUser=if(isnotnull(Stop_time),0,VUser)

| timechart count(VUser) by Protocol

 

The event with the VUser field is only present for one time interval of the timechart series so I want do the equivalent of a filldown until Stop_time is not null and then reset the VUser count.

Filldown only works when there are nulls. In the above example when there are no values for VUser timechart generates a zero value rather than a null which is why filldown is no good.

 

What else can I do in this case?

 

 

Labels (1)
Labels
0 Karma
Reply

perrinj2
Path Finder
‎09-24-2020 05:21 PM

Good idea but this only works if I remove the "by Protocol" split which I need

The stats tab shows a series of columns with Protocol values as headings. How can I refer to these fields to try the eval command to change zero to null?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2020 08:42 AM

Try "fudging" it by setting the zero values to nulls so filldown works.

| eval VUser=if(isnotnull(Stop_time),0,VUser)
| timechart count(VUser) as Count by Protocol
| eval Count=if(Count==0, NULL, Count)
| filldown Count

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top