How can I set my count to '0' when no results are ...

RocIngersol · ‎11-01-2017

Hi Folks,

I want to produce a count of events in each of my indexes. Where there isn't any data for the time range I specify in my search, I want to return 0 next to the corresponding index. So far I've tried;

index=blah* |timechart span=5m count by index | append pipe [stats count | where count==0]

The above returns 0 - but how can I add in the corresponding index name that has 0?

thx!

R

somesoni2 · ‎11-01-2017

Try this

index=blah* |timechart span=5m count by index 
| table [| rest /services/data/indexes | table title | search title=blah* | rename title as search]
| fillnull value=0

lfedak_splunk · ‎11-02-2017

Here's more info about fillnull! http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Fillnull Just learned about it in the Splunk Fundamentals II course myself. 😄 You can use the fillnull command to replace all null values with 0 or any string that you’d like

RocIngersol · ‎11-06-2017

Thx for the reply. Yeah I've used fillnill a few times - in this case (where there is no data in the index for the specified search time window I still get 'no results found' as opposed to my wanted index_name count 0

somesoni2 · ‎11-06-2017

Give this a try then...

index=blah* | bucket span=5m _time | stats count by _time index  
| appendpipe [| stats count | where count=0 | addinfo 
| eval time=split(info_min_time." ".info_max_time," ") | table time count| mvexpand time 
| rename time as _time  | eval index="dummy"] |timechart span=5m count by index 
 | table _time [| rest /services/data/indexes | table title | search title=blah* | rename title as search]
 | fillnull value=0

How can I set my count to '0' when no results are found in a table with the corresponding source?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?