Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you show all source types even if no data is available?

maryamchar
Explorer
‎02-07-2019 11:18 AM

Hi,

I'm trying to show all the source types within the last 24 hours (I set that by using presets), and if those source types have no data, I still want to show the name of the soucetype but with 0 (represent no data).

This is what I'm doing now, but it only shows the source types with data for the last 24 hours. 

index=* |chart count over sourcetype 
|eval name=if(count=="0", "0", "1")

Please help. I searched everywhere and tried so many things but still no luck. Also, I'm trying to use the trellis visualization to represent those source types

0 Karma
Reply

adonio
Ultra Champion
‎02-07-2019 02:37 PM

use the | metadata command

| metadata type=sourcetypes index=*
| eval diff=now()-lastTime | where diff > 3600*24
| convert ctime(lastTime) 
| convert ctime(firstTime)  
| convert ctime(recentTime) 
| sort -diff

read more here:
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Metadata

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...