Hi,
I have this search for example:
index=test elb_status_code=200 | timechart count as total span=1s | stats count as num_seconds by total | sort by total
When I search this for 1,2 days - my result includes total of 0,1,2,3 etc.. when i go above, 3 days for example - I loose all the data about the 0 value and my results start with 1,2,3 etc..
Anyone could explain this? am I doing something wrong or could this be a bug somewhere?
Timechart will be filling in the empty time slots with zeroes. Given that you have an error, I suspect that this part of the process hasn't been reached before the error, which is why these are missing from your final result.
I have a feeling that Splunk is automatically capping the number of rows when you use | timechart span=1s (this could result in 86400 rows per day), which would explain why your search works fine with 1-2 days but not with more than three.
Maybe you could try binning the _time to a 1s value and then doing stats on it.
index=test elb_status_code=200
| bin _time span=1s
| stats count as total by _time
| stats count as num_seconds by total
| sort 0 total
I am also curious how you got it to show values for total of 0. The count() function does not do that by default.
Thanks, I've tried that but still didn't get the "null" values.
I do get an error which says - "The specified span would result in too many (>175000) rows."
I get this error a lot during this search but i don't understand why would the null values only be missing?
Additionally - does this error necessarily mean that search has failed or stopped at the limit?
Timechart will be filling in the empty time slots with zeroes. Given that you have an error, I suspect that this part of the process hasn't been reached before the error, which is why these are missing from your final result.
Not sure if this will help but you could try
| sort 0 total