- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display zero count in a stats table?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm using the following stats query.
`wso2_wmf(RequestCompleted)`
| dedup eventId
| stats count by request.detailContext
The problem I have is that it's not displaying zero values for the request.detail.Context field.
If I use '| fillnull value=0' then specify each value from the request.detail.Context field then it does display those values with a zero count.
But the problem with this, is that because I'm being prescriptive in field values, when new field values are being ingested into Splunk for this field, they are not being extracted in the stats table.
I've looked at every post I could find of a similar nature and the solutions provided haven't worked. Could someone perhaps have a look at this and offer some guidance on how I may go about achieving this.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the Sentinel Search problem discussed (with solution) here:
https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the Sentinel Search problem discussed (with solution) here:
https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks @woodcock.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't thank me, thank @duckfez! 😆 Maybe he will comment and you can UpVote him.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hopefully he will, so can give him the credit aswell.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might not be the answer, but an idea how to handle the case where the base search does not return events .... read here : https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS. Doesn't quite work for my circumstances, but it does seem to be a common issue.
Thank you for taking the time to reply.
Many thanks and kind regards
Chris
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
