Solved: Show all buckets of _time in visualization includi...

jcrochon · ‎09-05-2017

Hello Splunker,

I'm trying to display a 'timestamp, event count' visualization including counts of zero events

host="[redacted]" src_port=* | bucket _time span=1h | stats count by _time | eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 16:00 1

Expected Results
2017-09-05 12:00 2
2017-09-05 13:00 1
2017-09-05 14:00 0
2017-09-05 15:00 0
2017-09-05 16:00 1

DalJeanis · ‎09-05-2017

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

View solution in original post

DalJeanis · ‎09-05-2017

Try this -

host="[redacted]" src_port=* 
| bucket _time span=1h 
| stats count as mycount by _time 
| appendpipe 
    [| stats min(_time) as mintime max(_time) as maxtime 
     | eval maxtime=maxtime+1 
     | eval mytime=mvrange(mintime, maxtime,3600) 
     | mvexpand mytime 
     | eval _time=mytime 
     | eval mycount=0 
     | table _time mycount
     ]
| stats sum(mycount) as mycount by _time 
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Show all buckets of _time in visualization including zero counts

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...