Re: How to continue with last known value on a sim...

ajtalbot1 · ‎10-31-2019

Simple search to look at the battery status on my UPS:

UPS_BATT
| timechart max(UPS_BATT) span=1m

But the UPS_BATT value only comes in every 4~12 hours.

How do I continue with last known value, until real data shows up?

arjunpkishore5 · ‎10-31-2019

If I understand your question right, you need to use filldown

UPS_BATT
| timechart max(UPS_BATT) as UPS_BATT  span=1m
| filldown UPS_BATT

Documentation here - https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Filldown

Hope this helps

Cheers

arjunpkishore5 · ‎11-01-2019

Hi @ajtalbot1 Thank you for the Upvote. Could you please mark as answer if this is what you were looking for. Cheers!

ajtalbot1 · ‎10-31-2019

Pic attached. UPS reached 100%, and it will not provide an update until:
4 hours have gone by
battery status changes

How do I fill in the red section in the graph? Basically just assume the last known value, in this case 100, until real data is provided.

nplamondon · ‎10-31-2019

If the problem is that you're seeing the graph go to zero between readings on a line chart, under Format, you'll find a setting for Null Values. Set that to "Connect" and you should see those gaps go away.

If I've misunderstood your issue, please expand your explanation. Screenshots for this sort of thing are helpful, too.

How to continue with last known value on a simple timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases