Splunk Search

how to use timechart count to return 0 when value is null, fillnull not working

lasonyadj
New Member

I am working on a search that returns counts by the hour but when the event has not occur, I would still like to fill in the column with zeros instead of it not appearing at all. I have tried fillnull, eval = if, eval =ifnull and it still has the same behavior. Any ideas? How do I create dummy data for when this occurs.

sourcetype=x Or sourcetype=y Or Sourcetype=z |timchart count span=1h by sourcetype

0 Karma
1 Solution

paulbannister
Communicator

After you timechart command add:

| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3

This should still display the data as a timechart but creating the missing fields to be subject "fillnull"

View solution in original post

paulbannister
Communicator

After you timechart command add:

| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3

This should still display the data as a timechart but creating the missing fields to be subject "fillnull"

lasonyadj
New Member

That works!! Thanks!1

0 Karma

DalJeanis
Legend

Great! Please be sure to accept the answer that works, and upvote any answers that were helpful.

0 Karma

paulbannister
Communicator

No problem

0 Karma

dineshraj9
Builder

Add the usenull flag to the timechart command -

sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype
0 Karma

lasonyadj
New Member

Tried that too, it didn't work either.

0 Karma

dineshraj9
Builder

You have to ensure that there is at least 1 event from each of the of sourcetype so that you can see 0 values for those.

If any of x or y or z has no events at all in the time range you are searching, they won't show up in the results with 0 values for any of the time range.

0 Karma

lasonyadj
New Member

So there is no way to pad these sources with zero when there are no events?

0 Karma

dineshraj9
Builder

Try this -

 sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype | fillnull value=0 x y z

lasonyadj
New Member

correction:
sourcetype=x Or sourcetype=y Or Sourcetype=z |timechart count span=1h by sourcetype

0 Karma

lasonyadj
New Member

Also tried usenull, it didn't work either.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...