Splunk Search

timechart - show every week, even if there is no value

matansocher
Contributor

Hi,

I am creating a timechart and in some of my weeks I have no value for a field ("Number Of Lines").
I need the timechart to present every week, and when there is no value for a week, fill it with value of 0 in the field "Number Of Lines".

I have tried fillnull but it is not working.

my query:

index=testeda_p groupID=sloc_data 
| eval _time = strptime(dateformat, "%m-%d-%Y") 
| timechart span=1w sum(sloc) as "Number Of Lines"

Thanks

0 Karma

gcusello
Legend

Hi matansocher,
try

index=testeda_p groupID=sloc_data 
| timechart span=1w sum(sloc) as "Number Of Lines"

Bye.
Giuseppe

0 Karma

matansocher
Contributor

I must use the line with the "dateformat" field. I use that sting date and not the upload to splunk date.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!