Why does makeresults returns "1" instead of "0"?

rrovers · ‎02-06-2023

My search:

| makeresults earliest=-2h
| timechart count as aantal span=1m

returns a list of zero's but for the last/current minute it returns "1". I only want zero's back to combine this search with a timechart.

After combining these searches (makeresults and timechart) there should be no message "no values found" anymore.

What do I have to change to have only zero's as a result of my makeresults search?

ITWhisperer · ‎02-06-2023

makeresult creates an event with a timestamp (more is you use count=0).

timechart uses earliest (and latest) to aggregate over using span to determine the buckets.

Your latest count is 1 from the makeresults.

Try a different aggregation e.g. max() and then fillnull

| makeresults earliest=-2h
| timechart max(aantal) as aantal span=1m
| fillnull value=0 aantal

PaulPanther · ‎02-06-2023

I have no clue what do you wanna achieve at the end 😄

But you could do it like

| makeresults earliest=-2h
| timechart count as aantal span=1m
| eval aantal=if(aantal=1,"0","0")

Why does makeresults returns "1" instead of "0"?

timechart

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Are you a member of the Splunk Community?

Why does makeresults returns "1" instead of "0"?

timechart

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases