Why does makeresults returns "1" instead of "0"?

rrovers · ‎02-06-2023

My search:

| makeresults earliest=-2h
| timechart count as aantal span=1m

returns a list of zero's but for the last/current minute it returns "1". I only want zero's back to combine this search with a timechart.

After combining these searches (makeresults and timechart) there should be no message "no values found" anymore.

What do I have to change to have only zero's as a result of my makeresults search?

ITWhisperer · ‎02-06-2023

makeresult creates an event with a timestamp (more is you use count=0).

timechart uses earliest (and latest) to aggregate over using span to determine the buckets.

Your latest count is 1 from the makeresults.

Try a different aggregation e.g. max() and then fillnull

| makeresults earliest=-2h
| timechart max(aantal) as aantal span=1m
| fillnull value=0 aantal

PaulPanther · ‎02-06-2023

I have no clue what do you wanna achieve at the end 😄

But you could do it like

| makeresults earliest=-2h
| timechart count as aantal span=1m
| eval aantal=if(aantal=1,"0","0")

Why does makeresults returns "1" instead of "0"?

timechart

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Why does makeresults returns "1" instead of "0"?

timechart

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases