Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you show all source types even if no data is available?

maryamchar
Explorer
‎02-07-2019 11:18 AM

Hi,

I'm trying to show all the source types within the last 24 hours (I set that by using presets), and if those source types have no data, I still want to show the name of the soucetype but with 0 (represent no data).

This is what I'm doing now, but it only shows the source types with data for the last 24 hours. 

index=* |chart count over sourcetype 
|eval name=if(count=="0", "0", "1")

Please help. I searched everywhere and tried so many things but still no luck. Also, I'm trying to use the trellis visualization to represent those source types

0 Karma
Reply

adonio
Ultra Champion
‎02-07-2019 02:37 PM

use the | metadata command

| metadata type=sourcetypes index=*
| eval diff=now()-lastTime | where diff > 3600*24
| convert ctime(lastTime) 
| convert ctime(firstTime)  
| convert ctime(recentTime) 
| sort -diff

read more here:
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Metadata

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...