Splunk Search

Display a result when the count =0

otman01
Communicator

Hi every one,
Whene I use the command count with Stats or chart, the result display just the events when count is greater than 0.
In my case I want to display 0 if the count = 0.
It is possible ?
Thank you for your help have a nice day 🙂

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.

The answer is a little weird. Here's your search with the real results from teh raw data.

source="WinEventLog:" | stats count by EventType

now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.

| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

Now all 5 EventTypes will be in the results regardless of their presence in the raw data.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.

The answer is a little weird. Here's your search with the real results from teh raw data.

source="WinEventLog:" | stats count by EventType

now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.

| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

Now all 5 EventTypes will be in the results regardless of their presence in the raw data.

otman01
Communicator

thank you for your response but the result given by the request is wrong 😞

0 Karma

sideview
SplunkTrust
SplunkTrust

That is odd. In case you read too fast and just pasted in the part starting with append, the full query is:

source="WinEventLog:" | stats count by EventType | append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

it will give you exactly what you are asking for.

0 Karma

otman01
Communicator

Thank you for your response, it didn't give me the rigth result because I had a mistake in my source ., It was my fault.
Now it works perfectly thank you sideview have a nice day

0 Karma

srinathd
Contributor

Hi.. stats will always show the count. if there are no events the result will show count as 0.

0 Karma

otman01
Communicator
  • this is my search query source="WinEventLog:*" | stats count by EventType
  • this is the resul of the search EventType count 0 --------------21 2 --------------11 3 ---------------1 4 --------------22 What I want is to display 2 other envents that are not listed in the result EventType1 and EventType5

Thank you

0 Karma

masonmorales
Influencer

Cool question. I can answer if you can fill in a couple blanks for me:
What app are you using? (search?)
Are the eventtypes shared or private? If shared, are they shared in app or globally?

0 Karma

masonmorales
Influencer

Also is EventType a field you created or an actual "event type" knowledge object? (http://docs.splunk.com/Splexicon:Eventtype)

0 Karma

otman01
Communicator

Thank you for your response.
* so, EventType is a field we can say that is a GameCategory for example.
* Yes, I use searche app.

0 Karma

MuS
SplunkTrust
SplunkTrust

Take a look at this answer http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html to get some more details about using stats count in such a use case.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...