Stats not returning zero counts

karthi2809 · ‎01-24-2017

index=xxx |bucket _time span=3m |stats count by _time host IP
We are using the above stats command to get count instead of timechart just because we have two by clause fields. We need help in returning Zero count as part of stats iteslf if there is no data available.

jplumsdaine22 · ‎01-30-2017

(Assuming you want zero counts for host)
You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this:

| inputlookup interesting_hosts 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m 
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

If you want something more dynamic, you can search for the hosts first over a longer time range than your final search

| tstats earliest=-30d count WHERE index=xxx by host 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

Stats not returning zero counts

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!