Splunk Search

how to use timechart count to return 0 when value is null, fillnull not working

lasonyadj
New Member

I am working on a search that returns counts by the hour but when the event has not occur, I would still like to fill in the column with zeros instead of it not appearing at all. I have tried fillnull, eval = if, eval =ifnull and it still has the same behavior. Any ideas? How do I create dummy data for when this occurs.

sourcetype=x Or sourcetype=y Or Sourcetype=z |timchart count span=1h by sourcetype

0 Karma
1 Solution

paulbannister
Communicator

After you timechart command add:

| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3

This should still display the data as a timechart but creating the missing fields to be subject "fillnull"

View solution in original post

paulbannister
Communicator

After you timechart command add:

| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3

This should still display the data as a timechart but creating the missing fields to be subject "fillnull"

lasonyadj
New Member

That works!! Thanks!1

0 Karma

DalJeanis
Legend

Great! Please be sure to accept the answer that works, and upvote any answers that were helpful.

0 Karma

paulbannister
Communicator

No problem

0 Karma

dineshraj9
Builder

Add the usenull flag to the timechart command -

sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype
0 Karma

lasonyadj
New Member

Tried that too, it didn't work either.

0 Karma

dineshraj9
Builder

You have to ensure that there is at least 1 event from each of the of sourcetype so that you can see 0 values for those.

If any of x or y or z has no events at all in the time range you are searching, they won't show up in the results with 0 values for any of the time range.

0 Karma

lasonyadj
New Member

So there is no way to pad these sources with zero when there are no events?

0 Karma

dineshraj9
Builder

Try this -

 sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype | fillnull value=0 x y z

lasonyadj
New Member

correction:
sourcetype=x Or sourcetype=y Or Sourcetype=z |timechart count span=1h by sourcetype

0 Karma

lasonyadj
New Member

Also tried usenull, it didn't work either.

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...