Splunk’s Search Processing Language (SPL) is the foundation of querying and analyzing machine data in Splunk. With SPL, users can filter, calculate, transform, and visualize data across virtually any use case. Among the many SPL commands, makecontinuous plays a critical role when working with time-series data. When visualizing metrics over time, gaps in data often distort the analysis. That’s where makecontinuous helps — it ensures time continuity in results, filling in missing time points with empty or null values. Without this command, charts may mislead or skip over silent periods. For security teams, IT admins, or business analysts, that absence of data can be just as important as its presence.
Understanding the makecontinuous Command
The makecontinuous command helps you build uninterrupted timelines. It fills in missing time spans, so your results show all the expected time intervals even if there are no events during those periods. Let’s say you’re tracking logins every hour. If no logins occur in one hour, that time won’t show in a chart. This can give the false impression that the search skipped over a time window. With makecontinuous, you force the timeline to include every time slice — providing a clear, consistent view. It is especially useful when data is summarized using timechart or bin and when graphing event frequency over regular intervals.
Proper Syntax
The basic syntax for the command is:
| makecontinuous <field> [span=<time-span>]
- field: Specifies what field you want to use.
- span: Defines the time interval between each point. If omitted, it tries to infer the appropriate span.
For example:
| makecontinuous span=1h
This tells Splunk to fill in missing hourly intervals between events.
Benefits of Using makecontinuous
#1 Accurate Timeline Representation
Fill in time gaps, so charts reflect every expected time point — even if no events occurred.
#2 Better Visualization
Smoothens charts and prevents misleading drops or spikes caused by missing data points.
#3 Easy Anomaly Detection
Missing events stand out clearly because they show up as nulls or zeros, making silence visible.
Example Use Cases
Example #1: Visualizing Firewall Activity Over Time
Use Case: You’re analyzing firewall traffic logs using the Splunk Common Information Model (CIM) to look for hours with no traffic.
`cim_Network_Traffic`
| timechart span=1h count
| makecontinuous span=1h
| fillnull value=0
Example #2: Monitoring Failed Logins Per Day
Use Case: You want to review daily failed login attempts using CIM’s Authentication data model.
`cim_Authentication` action="failure"
| timechart span=1d count by user
| makecontinuous span=1d
| fillnull value=0
Example #3: Tracking DNS Queries Over 15 Minute Intervals
Use Case: Your team wants to watch DNS traffic every 15 minutes, even when no queries are made.
`cim_DNS`
| bin _time span=15m
| stats count by _time
| makecontinuous span=15m
| fillnull value=0
Explanation:
The macro searches a set index, then leverages the Bin command to sort the events 15-minute intervals. The stats count command leverages _time field that has been binned to count DNS events in each slice. makecontinuous then fills in the timeline gaps in 15 minute checks, imitating the bin command. Finally, fillnull replaces missing values with zero to complete the dataset.
Conclusion
The makecontinuous command is a powerful but often underused feature in Splunk SPL. It ensures time-based searches are complete and trustworthy by filling in any missing intervals. This becomes essential when analyzing trends, visualizing metrics, or identifying silent periods.
Key Takeaways:
- makecontinuous fills gaps in time-series data to produce complete, consistent timelines.
- Great for dashboards, reporting, and alert tuning.
By using makecontinuous, you avoid misreading charts and uncover trends that would otherwise be hidden. It’s one of those small commands that make a big difference.
To access more Splunk searches, check out Atlas Search Library, which is part of the Atlas Platform. Specifically, Atlas Search Library offers a curated list of optimized searches. These searches empower Splunk users without requiring SPL knowledge. Furthermore, you can create, customize, and maintain your own search library. By doing so, you ensure your users get the most from using Splunk.
