Solved: Include row for zero resutls

lawrenn · ‎07-07-2011

I have several searches that count the number of results per day, using "stats count by date_mday". My problem is that they don't include days with 0 results, which means I have to do a bit of manipulation after running the search.

Is there any way of forcing it to include a date entry for days with 0 matches?

I was wondering if I could achieve this with timechart and fillnull, but found the documentation (http://www.splunk.com/base/Documentation/4.2.2/SearchReference/Timechart) a bit confusing.

Thanks.

BobM · ‎07-07-2011

Yes you can

your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday

the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.

View solution in original post

BobM · ‎07-07-2011

Yes you can

your search | timechart span="1d" count | eval date_mday=strftime(_time, "%d") | fields count date_mday

the timechart does most of what you want but the date_mday is blank for dates with no data so the eval recreates this field and finally the fields command cleans up the result.

lawrenn · ‎07-07-2011

Thank you very much for your help

Include row for zero resutls

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk