I have 2 keywords and I am running query :
index="maa" | table Name Age Location | rex field="Location" (?
Out of two keywords ( kol,delhi), Location field is matching only "kol" keyword and I am getting my output as :
kol 10
but I want to get my output as
kol 10
delhi 0
because if there is no match then it should print 0 along with the keyword as above
Please help me to get the output, if pattern doesnot match, it should print 0 along with the pattern ( 0 will represent that there is not such pattern )
Please help !! this is really urgent
ok,if the second sub search doesn't return any result, then there will be nothing to append and splunk will not display it.
The workaround for this is to write a list of your expected lines, and store them in a csv file or a lookup
example file city_list.csv with a column header.
city, country
delhi, india
kol, india
moscow,russia
Then during your search use a OUTER JOIN on the city name to match the list to your results, and at the very end, replace the missing values per "zero"
mysupersearch
| table city count
| JOIN type=outer city [ search inpulookup city_list.csv | table city ]
| table city count
| fillnull count value="0"
for details :
lookups
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Outputlookup
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions
join http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join
Without any sample we cannot test your search.
If your events contains a single value in the field Location, you probably don't need 2 searches, a single one can do the trick.
Also I don't know if your regex is supposed to match "kol" or kol.
Also, the rex command expect | rex field=namofthefield "regexexpression"
example :
index="maa" kol OR delhi | table Name Age Location | rex field=Location "(?(?i)kol|delhi)" | eval one=lower(one) |stats count(one) by one
my rex is absoutely working fine separately for each keyword,when I am giving it ( kol | delhi ) it is not mathing everything, More over this is not my question , My question is very well defined in my first post but I am still un-answered, I am seeking for the value 0 if my keyword is not matching with the field ( that is my question that how to get 0 count )
Fields names are case sensitive. Please be consistent in your usage. ( don't use one then ONE)
index="maa" | table Name Age Location | rex field="Location" (?
Now, Please help me to get the solution
You still mix one and ONE. Proceed by fixing that.
By mistaken I have used "one" instead of "ONE"
index="maa" | table Name Age Location | rex field="Location" (?
Above is my query now let me know how do i proceed
Thanks gkanapathy for this link :
But I am getting a bit confused with the ans given to this link :
Could you please ( its heartly request ) help me to my query :
index="maa" | table Name Age Location | rex field="Location" (?
please help me if any of the keyword is not matching the field "Location" then it should display the keyword along with 0..
Thanks in Advance !! Please