Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Include zero count in stats count

johandk
Path Finder
‎05-06-2011 12:51 AM

I have a search like this:

sourcetype="wineventlog:security" (host="Server1" OR host="server2" OR host="server3") | stats count(host) by host

This returns server1 and server2 and their counts but not server3 cause there is no events for it. How do I force it for server3 to display in the table with a zero count??

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-06-2011 02:34 PM

This search would show a count of those servers:

|stats count | eval host="Server1,Server2,Server3" | makemv delim="," host | mvexpand host | append [search sourcetype="wineventlog:security" (host="Server1" OR host="Server2" OR host="Server3")] | stats sum(eval(if(isnull(_time),0,1))) as count by host

If there are many servers, it may be easier to maintain the list in a lookup file.

Alternatively, if you want to show counts of all servers Splunk has seen you can lead with a metadata command and obviate the need to specify servers.

View solution in original post

Reply
Solved! Jump to solution

samkidman
Engager
‎05-20-2014 09:22 PM

Heres a way to do it if you have a large number of hosts that match a regex without using a lookup file:

|stats count | eval [|metadata type=hosts |regex host="<matching hosts>"| fields + host | mvcombine delim="," host | nomv host | format "","","","","",""] | makemv delim="," host | mvexpand host | append [search sourcetype="wineventlog:security" | regex host="<matching hosts>" ] | stats sum(eval(if(isnull(_time),0,1))) as count by host
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-06-2011 02:34 PM

This search would show a count of those servers:

|stats count | eval host="Server1,Server2,Server3" | makemv delim="," host | mvexpand host | append [search sourcetype="wineventlog:security" (host="Server1" OR host="Server2" OR host="Server3")] | stats sum(eval(if(isnull(_time),0,1))) as count by host

If there are many servers, it may be easier to maintain the list in a lookup file.

Alternatively, if you want to show counts of all servers Splunk has seen you can lead with a metadata command and obviate the need to specify servers.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...