Splunk Search

No results found, I want to show other message but I want stats count by field

SS00110896
New Member

I am trying to compare the count based on ServiceMethod [field], but when there are no results found, that particular count for ServiceMethod value needs to be displayed as "0".

I tried many ways but no luck.

index=_internal source="/demo/demo.log" RequestWebService ServiceMethod | stats count as RequestCount by ServiceMethod | appendcols [ search index=_internal source="/demo/demo.log" RequestFromPage ResponseWebService ServiceMethod| stats count as ResponseCount by ServiceMethod ]

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Try this

index=_internal source="/demo/demo.log" ServiceMethod (RequestWebService OR (RequestFromPage ResponseWebService))
| eval requests = if(searchmatch("RequestWebService"), 1, 0)
| stats sum(requests) as RequestCount count as ResponseCount by ServiceMethod
| eval ResponseCount = ResponseCount - RequestCount
| inputlookup append=t service_methods
| stats max(*Count) as *Count by ServiceMethod

where service_methods is a lookup containing a list of all service methods with zeroed RequestCount and ResponseCount.

Side note, why is that indexed in _internal?

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Try this

index=_internal source="/demo/demo.log" ServiceMethod (RequestWebService OR (RequestFromPage ResponseWebService))
| eval requests = if(searchmatch("RequestWebService"), 1, 0)
| stats sum(requests) as RequestCount count as ResponseCount by ServiceMethod
| eval ResponseCount = ResponseCount - RequestCount
| inputlookup append=t service_methods
| stats max(*Count) as *Count by ServiceMethod

where service_methods is a lookup containing a list of all service methods with zeroed RequestCount and ResponseCount.

Side note, why is that indexed in _internal?

0 Karma

SS00110896
New Member

Thanks Martin.

I just wanted to hide few details that's why

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...