- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to modify the retrun value of stats count by ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to modify the retrun value of stats count by search using eval
I am running a search query like this
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur | sort -cur
the return value of the above search sometimes return both values and sometime only one.
i.e.
Cur dc(ASP_NET_SessionId)
1 15
0 2
And sometimes I may get,
Cur dc(ASP_NET_SessionId)
1 12
And sometimes I may get,
"No results found"
I suspect that I am not seeing the 2nd row (or No results found) here most likely because of the fact that the return value of dc(ASP_NET_SessionId) may be 0.
My question is, is there a way to modify the search so that I always get two rows even if the value is zero. I just want to display as zero and not a missing line or "No results found". So it should look like
Cur dc(ASP_NET_SessionId)
1 0
0 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, the following query worked. It gave me the result I wanted as per above.
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.*
| eval cur=if(_time>relative_time(now(),"-15m"),1,0)
| append [ stats count | eval cur = if(count == 0, 0,1)]
| append [ stats count | eval cur = if(count == 0, 1,0)]
| stats dc(ASP_NET_SessionId) by cur | sort -cur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try following
*| head 1 | eval cur="1,0" | fields cur| eval cur=split(cur,",") | mvexpand cur | join type=left cur [search index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur ]| sort -cur]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should be fields instead of field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you again. When I try the above, I get "unknown search command 'field'"
Sorry for my delayed resposne. I was away on leave for last 4 weeks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using fillnull.
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | fillnull value="0" | stats dc(ASP_NET_SessionId) by cur | sort -cur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. Tried that, no difference.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
