I have a scenario here.
I have data in my local Splunk for time range from 6-Nov-2015 11:45 UTC to 10-Nov-2015 13:45 UTC . I need to get the data count in buckets based on time span of 15 minutes. If I try to search data from 6-Nov-2015 10:30 UTC to 10-Nov-2015 15:30 UTC using timechart, I am getting empty buckets in between the data, but losing the empty buckets at the start/end. And I am getting buckets from 6-Nov-2015 11:45 UTC to 10-Nov-2015 13:45 UTC . Can anyone suggest how to get the empty buckets at the start/end?
My Splunk search is:
(index=my_index msecBefore>=1446805800000 msecBefore<=1447169400000 label="testLabel") | timechart cont=true span=15m count(eval( msecElapsed<72000000)) as Satisfied
Any help would be appreciated.
Regards,
Suresh
... View more