Why does makeresults returns "1" instead of "0"?

rrovers · ‎02-06-2023

My search:

| makeresults earliest=-2h
| timechart count as aantal span=1m

returns a list of zero's but for the last/current minute it returns "1". I only want zero's back to combine this search with a timechart.

After combining these searches (makeresults and timechart) there should be no message "no values found" anymore.

What do I have to change to have only zero's as a result of my makeresults search?

ITWhisperer · ‎02-06-2023

makeresult creates an event with a timestamp (more is you use count=0).

timechart uses earliest (and latest) to aggregate over using span to determine the buckets.

Your latest count is 1 from the makeresults.

Try a different aggregation e.g. max() and then fillnull

| makeresults earliest=-2h
| timechart max(aantal) as aantal span=1m
| fillnull value=0 aantal

PaulPanther · ‎02-06-2023

I have no clue what do you wanna achieve at the end 😄

But you could do it like

| makeresults earliest=-2h
| timechart count as aantal span=1m
| eval aantal=if(aantal=1,"0","0")

Why does makeresults returns "1" instead of "0"?

timechart

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Why does makeresults returns "1" instead of "0"?

timechart

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever