- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to use timechart count to return 0 when value ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am working on a search that returns counts by the hour but when the event has not occur, I would still like to fill in the column with zeros instead of it not appearing at all. I have tried fillnull, eval = if, eval =ifnull and it still has the same behavior. Any ideas? How do I create dummy data for when this occurs.
sourcetype=x Or sourcetype=y Or Sourcetype=z |timchart count span=1h by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After you timechart command add:
| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3
This should still display the data as a timechart but creating the missing fields to be subject "fillnull"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After you timechart command add:
| table _time, sourcetype1, sourcetype2, sourcetype3
| fillnull sourcetype1, sourcetype2, sourcetype3
This should still display the data as a timechart but creating the missing fields to be subject "fillnull"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That works!! Thanks!1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! Please be sure to accept the answer that works, and upvote any answers that were helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add the usenull flag to the timechart command -
sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried that too, it didn't work either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to ensure that there is at least 1 event from each of the of sourcetype so that you can see 0 values for those.
If any of x or y or z has no events at all in the time range you are searching, they won't show up in the results with 0 values for any of the time range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So there is no way to pad these sources with zero when there are no events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this -
sourcetype=x OR sourcetype=y OR sourcetype=z | timchart span=1h usenull=true count by sourcetype | fillnull value=0 x y z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correction:
sourcetype=x Or sourcetype=y Or Sourcetype=z |timechart count span=1h by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also tried usenull, it didn't work either.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
