- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to modify the retrun value of stats count...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to modify the retrun value of stats count by search using eval
I am running a search query like this
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur | sort -cur
the return value of the above search sometimes return both values and sometime only one.
i.e.
Cur dc(ASP_NET_SessionId)
1 15
0 2
And sometimes I may get,
Cur dc(ASP_NET_SessionId)
1 12
And sometimes I may get,
"No results found"
I suspect that I am not seeing the 2nd row (or No results found) here most likely because of the fact that the return value of dc(ASP_NET_SessionId) may be 0.
My question is, is there a way to modify the search so that I always get two rows even if the value is zero. I just want to display as zero and not a missing line or "No results found". So it should look like
Cur dc(ASP_NET_SessionId)
1 0
0 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, the following query worked. It gave me the result I wanted as per above.
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.*
| eval cur=if(_time>relative_time(now(),"-15m"),1,0)
| append [ stats count | eval cur = if(count == 0, 0,1)]
| append [ stats count | eval cur = if(count == 0, 1,0)]
| stats dc(ASP_NET_SessionId) by cur | sort -cur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try following
*| head 1 | eval cur="1,0" | fields cur| eval cur=split(cur,",") | mvexpand cur | join type=left cur [search index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur ]| sort -cur]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should be fields instead of field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you again. When I try the above, I get "unknown search command 'field'"
Sorry for my delayed resposne. I was away on leave for last 4 weeks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using fillnull.
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | fillnull value="0" | stats dc(ASP_NET_SessionId) by cur | sort -cur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. Tried that, no difference.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
