Hi,
I'm trying to fill empty hours (without events) using makecontinuous.
The time column created in the query/
| tstats count(s_id) as C
FROM datamodel=Hs
by s_date s_hour
| eval date_hour = s_date." ".s_hour
| eval y=strptime(date_hour, "%Y-%m-%d %H")
| eval z=strftime(y, "%Y-%m-%dT%H:%M:%S.%Q")
| fields z C
z   C
1   2019-12-18T10:00:00.000 735017
2   2019-12-18T11:00:00.000 743298
3   2019-12-18T12:00:00.000 733748
4   2019-12-18T13:00:00.000 723318
5   2019-12-18T14:00:00.000 737788
6   2019-12-18T15:00:00.000 702345
7   2019-12-18T08:00:00.000 682183
8   2019-12-18T09:00:00.000 699685
9   2019-12-19T00:00:00.000 485244
There is a hole between lines 6-7 and I want to complete it in houtly rows (with value 0 for column C).
Tried few queries with makecontinuous but no results..
Thanks!
 | tstats count(s_id) as C
 FROM datamodel=Hs
 by s_date s_hour
 | eval date_hour = s_date." ".s_hour
 | eval y=strptime(date_hour, "%Y-%m-%d %H")
 | eval _time = y
 | timechart limit=0 span=1h values(C) as C
 | eval z=strftime(_time, "%Y-%m-%dT%H:%M:%S.%Q")
 | fields z C
 | fillnull
Hi, @martynoconnor
how about it? I don't use makecontinious
 | tstats count(s_id) as C
 FROM datamodel=Hs
 by s_date s_hour
 | eval date_hour = s_date." ".s_hour
 | eval y=strptime(date_hour, "%Y-%m-%d %H")
 | eval _time = y
 | timechart limit=0 span=1h values(C) as C
 | eval z=strftime(_time, "%Y-%m-%dT%H:%M:%S.%Q")
 | fields z C
 | fillnull
Hi, @martynoconnor
how about it? I don't use makecontinious
It looks like you're trying to do makecontinuous over _time. If you haven't already, take a look at the documentation here:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Makecontinuous#Examples
You'll need to pass in a few extra settings to makecontinuous to tell it what size bin/span you want to use.
