I am trying to get the result even if no results matches.
fillnull works fine with-
search sourcetype="test" Status < 0 | stats sparkline(count) as spark1, count as "Error Count" | fillnull
but not with-
search sourcetype="test" Status < 0 | stats sparkline(count) as spark1, count as "Error Count" by sourcetype | fillnull
Is there any way second query be fixed?
Thanks
Is there data showing up at all with the second one? Can you show some sample data?
try this:
search sourcetype="test" Status < 0 | stats sparkline(count) as spark1, count as "Error Count" by sourcetype| appendpipe [ stats count | eval "Error Count"="0" | where count==0 |table "Error Count"]
Thanks for the query, unfortunately it does gives the expected result-
search sourcetype="test" Status < 0 | stats sparkline(count) as spark1, count as "Error Count" by sourcetype| appendpipe [ stats count | eval "Error Count"="0" | where count==0 |table "Error Count"]
It gives me-
sourcetype spark1 Error Count
0
Result should be like-
sourcetype spark1 Error Count
test 0
Just add | eval sourcetype ="test"
at the end of the subsearch.
sourcetype="test" Status < 0 | stats sparkline(count) as spark1, count as "Error Count" by sourcetype| appendpipe [ stats count | eval "Error Count"="0" | where count==0 |table "Error Count" | eval sourcetype ="test"]
Works like a charm.
Thanks