- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to default a key value if a reduce function "s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to default a key value if a reduce function "stats" does not return any results...
I have the following query:
index=hello field=0 client=vip|stats dc(id) as no_event by client
If there is not any key=value pair "field=0" my reduced by _time function "stats" will not report any results. Based on these premises I have the following question which is related to:
[http://splunk-base.splunk.com/answers/67740/how-to-detect-and-fill-default-value-to-empty-value-field][1]
Is there a way in the splunk query language to default the results of the reduce function in case there is not any event?
Example:
log events:
01/01/2013 01:00:000 field=1 client=vip id=0002
01/02/2013 01:00:000 field=0 client=vip id=0006
01/03/2013 01:00:000 field=4 client=vip id=0008
01/05/2013 01:00:000 field=6 client=vip id=0010
Observation: There is not any event for 01/04/2013.
I need this result set:
_time no_event
01/01/2013 01:00:000 1
01/02/2013 01:00:000 1
01/03/2013 01:00:000 1
01/04/2013 01:00:000 0
01/05/2013 01:00:000 1
Thanks,
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this :
index=hello field=0 client=vip|stats dc(id) as no_event by client
| appendpipe [ stats count as no_event | eval client="vip" | where no_event==0 ]
the appendpipe sets no_event to the number of rows returned.
We then create a field called client set to 'vip'
We then only add the row to the main search if no_event is 0
Update
index=hello field=0 client=vip
| stats dc(id) as no_event by _time
| makecontinuous _time
| fillnull value=0 no_event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search command makecontinuous _time worked. I did not know this command.
Thank you.
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updated answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated the question. So you may guide me if there is a solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from my answer you referenced 😛 . You should post as answers, you post good comments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kind a like I posted 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how about the solution presented in
http://splunk-base.splunk.com/answers/59589/no-results-found-to-be-represented-as-null-or-0
then you end could look like
| stats dc(id) as no_event by client | appendpipe [ stats count | eval id=0 | where count==0 | rename id as no_event | fields - count ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I tried. it does not do the job.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you tried fillnull ?
maybe something like
index=hello field=0 client=vip|stats dc(id) as no_event by client | fillnull value=0 no_event
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
