I am working on a search that returns counts by the hour but when the event has not occur, I would still like to fill in the column with zeros instead of it not appearing at all. I have tried fillnull, eval = if, eval =ifnull and it still has the same behavior. Any ideas? How do I create dummy data for when this occurs.
sourcetype=x Or sourcetype=y Or Sourcetype=z |timchart count span=1h by sourcetype
After you timechart command add:
| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3
This should still display the data as a timechart but creating the missing fields to be subject "fillnull"
After you timechart command add:
| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3
This should still display the data as a timechart but creating the missing fields to be subject "fillnull"
That works!! Thanks!1
Great! Please be sure to accept the answer that works, and upvote any answers that were helpful.
No problem
Add the usenull flag to the timechart command -
sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype
Tried that too, it didn't work either.
You have to ensure that there is at least 1 event from each of the of sourcetype so that you can see 0 values for those.
If any of x or y or z has no events at all in the time range you are searching, they won't show up in the results with 0 values for any of the time range.
So there is no way to pad these sources with zero when there are no events?
Try this -
sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype | fillnull value=0 x y z
correction:
sourcetype=x Or sourcetype=y Or Sourcetype=z |timechart count span=1h by sourcetype
Also tried usenull, it didn't work either.