Splunk Search

how to use timechart count to return 0 when value is null, fillnull not working

New Member

I am working on a search that returns counts by the hour but when the event has not occur, I would still like to fill in the column with zeros instead of it not appearing at all. I have tried fillnull, eval = if, eval =ifnull and it still has the same behavior. Any ideas? How do I create dummy data for when this occurs.

sourcetype=x Or sourcetype=y Or Sourcetype=z |timchart count span=1h by sourcetype

0 Karma
1 Solution

Communicator

After you timechart command add:

| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3

This should still display the data as a timechart but creating the missing fields to be subject "fillnull"

View solution in original post

Communicator

After you timechart command add:

| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3

This should still display the data as a timechart but creating the missing fields to be subject "fillnull"

View solution in original post

New Member

That works!! Thanks!1

0 Karma

SplunkTrust
SplunkTrust

Great! Please be sure to accept the answer that works, and upvote any answers that were helpful.

0 Karma

Communicator

No problem

0 Karma

Builder

Add the usenull flag to the timechart command -

sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype
0 Karma

New Member

Tried that too, it didn't work either.

0 Karma

Builder

You have to ensure that there is at least 1 event from each of the of sourcetype so that you can see 0 values for those.

If any of x or y or z has no events at all in the time range you are searching, they won't show up in the results with 0 values for any of the time range.

0 Karma

New Member

So there is no way to pad these sources with zero when there are no events?

0 Karma

Builder

Try this -

 sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype | fillnull value=0 x y z

New Member

correction:
sourcetype=x Or sourcetype=y Or Sourcetype=z |timechart count span=1h by sourcetype

0 Karma

New Member

Also tried usenull, it didn't work either.

0 Karma