Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show all buckets of _time in visualization including zero counts

jcrochon
Explorer
‎09-05-2017 02:51 PM

Hello Splunker,

I'm trying to display a 'timestamp, event count' visualization including counts of zero events

host="[redacted]" src_port=* | bucket _time span=1h | stats count by _time | eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 16:00 1

Expected Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 14:00 0
2017-09-05 15:00 0
2017-09-05 16:00 1

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-05-2017 03:55 PM

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-05-2017 03:55 PM

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...