Splunk Search

how to get data as per _time when count is 0

Learner
Path Finder
index=dummy <mySearchCondition>| search response_code1!=200| stats count

when i search for this query i get output as 0 in count column. but when i try this query:

index=dummy <mysearchCondition> | bin _time span=1d |eval Time=strftime(_time , "%d/%m/%Y %H:%M")| search response_code1!=200| stats count by Time

expected ans for this:

Timecount
2021-04-20 04:360

 

i'm not able to see any output. what to do?

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

bin _time span=1d

 

Snaps all values of _time to the start of day i.e. 00:00 so you will not see 04:36. Also, the time format you seem to be expecting is not the format you have used for Time. Apart from that, you should get counts for the days present in your search, except when you have removed all the events for any particular day. The stats are grouped by Time and there are no values for Time once you have filtered out all the response_code1=200

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...