I am running following query in Splunk
index=appName build=xyz logLevel=ERROR | timechart span=1d count As value.
if there are any events, then it will return the data in the following columns [result 1]; which is exactly what I am looking for
result 1
_time | value
19-Jan-2020 | 10
18-Jan-2020 | 14
The problem is when there are no results. it returns 0 events. What I want is the output should be something like this [result 2] when there are no results for my query
result 2
_time | value
19-Jan-2020 | 0
18-Jan-2020 | 0
I tried improving my query and I was able to achieve result 2, with query 2, but when there are events as result of my query the output gets messed up.
query 2
index=appName | timechart span=60 count as valueInner | appendcols [| search index=appName build=xyz lvl=ERROR | bucket _time span=60s | stats count as value ] | fillnull value=0
How should I write a query which should give _time and value column irrespective of the result of events?
... View more