Splunk Search

Include row for zero resutls

lawrenn
New Member

I have several searches that count the number of results per day, using "stats count by date_mday". My problem is that they don't include days with 0 results, which means I have to do a bit of manipulation after running the search.

Is there any way of forcing it to include a date entry for days with 0 matches?

I was wondering if I could achieve this with timechart and fillnull, but found the documentation (http://www.splunk.com/base/Documentation/4.2.2/SearchReference/Timechart) a bit confusing.

Thanks.

Tags (2)
0 Karma
1 Solution

BobM
Builder

Yes you can

your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday

the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.

View solution in original post

BobM
Builder

Yes you can

your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday

the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.

lawrenn
New Member

Thank you very much for your help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...