Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.
The answer is a little weird. Here's your search with the real results from teh raw data.
source="WinEventLog:" | stats count by EventType
now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.
| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType
Now all 5 EventTypes will be in the results regardless of their presence in the raw data.
Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.
The answer is a little weird. Here's your search with the real results from teh raw data.
source="WinEventLog:" | stats count by EventType
now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.
| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType
Now all 5 EventTypes will be in the results regardless of their presence in the raw data.
thank you for your response but the result given by the request is wrong 😞
That is odd. In case you read too fast and just pasted in the part starting with append
, the full query is:
source="WinEventLog:" | stats count by EventType | append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType
it will give you exactly what you are asking for.
Thank you for your response, it didn't give me the rigth result because I had a mistake in my source ., It was my fault.
Now it works perfectly thank you sideview have a nice day
Hi.. stats will always show the count. if there are no events the result will show count as 0.
Thank you
Cool question. I can answer if you can fill in a couple blanks for me:
What app are you using? (search?)
Are the eventtypes shared or private? If shared, are they shared in app or globally?
Also is EventType a field you created or an actual "event type" knowledge object? (http://docs.splunk.com/Splexicon:Eventtype)
Thank you for your response.
* so, EventType is a field we can say that is a GameCategory for example.
* Yes, I use searche app.
Take a look at this answer http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html to get some more details about using stats count
in such a use case.