Hello,
I have a search like this: sourcetype="mysource" | stats count by field
I need to show zero if the field doesn't exist in the result how to do that?
Thanks,
Use fillnull:
sourcetype="mysource" | fillnull value="0" field | stats count by field
Use fillnull:
sourcetype="mysource" | fillnull value="0" field | stats count by field
"Original Poster" == the person who asked the question.
? fillnull will add the field with a zero value if it does not exist, and add a zero if it has no value. That is what OP wanted. What does OP stand for?
The search you've provided will fill "field" with 0 everywhere, then count the occurrences by the value, where the count of "value=0" will represent the number of events where the field was empty. I'm not quite sure what the OP wanted....