I need to report for each minute during a given month for numerous sources. My issue is dealing with missing transactions; exactly what I need to report on. If I use `timechart span=1m count`, I get the missing entries, but for only one source. If I include all sources I get all the data, but the source is where the count is.
_time...........................................srcA.....srcB
2016-01-01T00:00:00.000-0600.....0........4
2016-01-01T00:01:00.000-0600.....0........1
2016-01-01T00:02:00.000-0600.....0........3
2016-01-01T00:03:00.000-0600.....1........2
.
.
2016-01-31T23:56:00.000-0600.....0........3
2016-01-31T23:57:00.000-0600.....0........2
2016-01-31T23:58:00.000-0600.....0........0
2016-01-31T23:59:00.000-0600.....0........1
**When what I want is, i think.....**
source...._time................................................Count
srcA........2016-01-01T00:00:00.000-0600........0
srcA........2016-01-01T00:01:00.000-0600........0
srcA........2016-01-01T00:02:00.000-0600........0
srcA........2016-01-01T00:03:00.000-0600........1
.
.
srcA........2016-01-31T23:56:00.000-0600........0
srcA........2016-01-31T23:57:00.000-0600........0
srcA........2016-01-31T23:58:00.000-0600........0
srcA........2016-01-31T23:59:00.000-0600........0
srcB........2016-01-01T00:00:00.000-0600........4
srcB........2016-01-01T00:01:00.000-0600........1
srcB........2016-01-01T00:02:00.000-0600........3
srcB........2016-01-01T00:03:00.000-0600........2
.
.
srcB........2016-01-31T23:56:00.000-0600........3
srcB........2016-01-31T23:57:00.000-0600........2
srcB........2016-01-31T23:58:00.000-0600........0
srcB........2016-01-31T23:59:00.000-0600........3
If I use stats, I get only the counts when an event occurred. I thought I could use a subsearch to produce a template of times and 0 counts to merge with to fill in the missing rows, but the subsearch limit is 10500 rows and there are 44640 minutes in a 31 day month.
Any help is appreciated.
↧