Solved: Re: Include row for zero resutls

lawrenn · ‎07-07-2011

I have several searches that count the number of results per day, using "stats count by date_mday". My problem is that they don't include days with 0 results, which means I have to do a bit of manipulation after running the search.

Is there any way of forcing it to include a date entry for days with 0 matches?

I was wondering if I could achieve this with timechart and fillnull, but found the documentation (http://www.splunk.com/base/Documentation/4.2.2/SearchReference/Timechart) a bit confusing.

Thanks.

BobM · ‎07-07-2011

Yes you can

your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday

the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.

View solution in original post

BobM · ‎07-07-2011

Yes you can

your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday

the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.

lawrenn · ‎07-07-2011

Thank you very much for your help

Include row for zero resutls

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability