Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to default a key value if a reduce function "stats" does not return any results...

lpolo
Motivator
‎01-22-2013 11:46 AM

I have the following query:

index=hello field=0 client=vip|stats dc(id) as no_event by client

If there is not any key=value pair "field=0" my reduced by _time function "stats" will not report any results. Based on these premises I have the following question which is related to:

[http://splunk-base.splunk.com/answers/67740/how-to-detect-and-fill-default-value-to-empty-value-field][1]

Is there a way in the splunk query language to default the results of the reduce function in case there is not any event?

Example:
log events:

01/01/2013 01:00:000 field=1 client=vip id=0002
01/02/2013 01:00:000 field=0 client=vip id=0006
01/03/2013 01:00:000 field=4 client=vip id=0008
01/05/2013 01:00:000 field=6 client=vip id=0010

Observation: There is not any event for 01/04/2013.

I need this result set:

_time                no_event
01/01/2013 01:00:000  1
01/02/2013 01:00:000  1
01/03/2013 01:00:000  1
01/04/2013 01:00:000  0
01/05/2013 01:00:000  1

Thanks,
Lp

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎01-22-2013 12:40 PM

Like this :

index=hello field=0 client=vip|stats dc(id) as no_event by client 
| appendpipe [ stats count as no_event | eval client="vip" | where no_event==0 ]

the appendpipe sets no_event to the number of rows returned.

We then create a field called client set to 'vip'

We then only add the row to the main search if no_event is 0

Update

index=hello field=0 client=vip
| stats dc(id) as no_event by _time
| makecontinuous _time
| fillnull value=0 no_event
Reply

lpolo
Motivator
‎01-23-2013 08:28 AM

Search command makecontinuous _time worked. I did not know this command.

Thank you.
Lp

0 Karma
Reply

jonuwz
Influencer
‎01-23-2013 05:39 AM

updated answer

0 Karma
Reply

lpolo
Motivator
‎01-23-2013 04:43 AM

I updated the question. So you may guide me if there is a solution.

0 Karma
Reply

jonuwz
Influencer
‎01-22-2013 02:14 PM

from my answer you referenced 😛 . You should post as answers, you post good comments.

0 Karma
Reply

jguarini
Path Finder
‎01-22-2013 12:55 PM

kind a like I posted 😉

0 Karma
Reply

jguarini
Path Finder
‎01-22-2013 12:09 PM

how about the solution presented in

http://splunk-base.splunk.com/answers/59589/no-results-found-to-be-represented-as-null-or-0

then you end could look like

| stats dc(id) as no_event by client | appendpipe [ stats count | eval id=0 | where count==0 | rename id as no_event | fields - count ]

0 Karma
Reply

lpolo
Motivator
‎01-22-2013 11:58 AM

Yes, I tried. it does not do the job.

0 Karma
Reply

jguarini
Path Finder
‎01-22-2013 11:52 AM

have you tried fillnull ?

maybe something like

index=hello field=0 client=vip|stats dc(id) as no_event by client | fillnull value=0 no_event

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...