Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

timechart: fill values in empty slots

zaphod1984
Path Finder
‎11-27-2014 04:43 AM

Assuming I have the following log entries

2014-11-01 foo=bar
2014-11-02 foo=bax

With the search | timechart span=1d count only the days get plottet where actually an entries exists, but not on that days that have been happening since the last entry and now.
Is there a simple way to fill those gaps?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 04:50 AM

Hi zaphod1984,

take a look at this answer to get more details
http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html

but you can do something like this:

... | stats count AS myCount by foo, _time | timechart span=1d sum(myCount) AS count

this way you would get a 0 for days with no events.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 04:50 AM

Hi zaphod1984,

take a look at this answer to get more details
http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html

but you can do something like this:

... | stats count AS myCount by foo, _time | timechart span=1d sum(myCount) AS count

this way you would get a 0 for days with no events.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎11-27-2014 05:04 AM

that's it, thanks!
i was hoping that there would be some kind of a parameter for timechart...

0 Karma
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎11-27-2014 05:13 AM

any ideas on how to accompilish this when it comes to averages, medians etc. instead of a simple count?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 05:16 AM

take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CommonStatsFunctions for all available functions for timechart

0 Karma
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎11-27-2014 06:50 AM

hi i know the methods that are available but a search like this would not be accurate anymore when using the approach mentioned above: ... | stats p90(foo) AS myP90Foo _time | timechart span=1d p90(myP90Foo) AS p90Foo

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 07:14 AM

the stats is only there to create empty event counts not to do any aggregation or such, do all this in your timechart

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...