https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371518#M109322 <P>You need source for a canonical list of "all the XYZ things". For simplicity, let's not use <CODE>xyz</CODE> but rather <CODE>host</CODE>.</P> <P>Let's assume you have the canonical list in a set of tags, then you can use this search to obtain it:</P> <PRE><CODE>| rest/servicesNS/-/-/configs/conf-tags | search YourTagNameHere=enabled | fields title | rex field=title mode=sed "s/host=//" | rename title AS host </CODE></PRE> <P>Let's assume it is in a CSV, then you can use this search to obtain it:</P> <PRE><CODE>| inputcsv MyCSV | table host </CODE></PRE> <P>In any case, once you have the search that generated the canonical list of hosts, you can do a search like this:</P> <PRE><CODE>YOUR DATA SEARCH HERE | append [YOUR SEARCH FOR CANONICAL LIST HERE] | stats values(*) AS * BY host </CODE></PRE> <P>You might start with a <CODE>tstats</CODE> search because it is so much more efficient:</P> <PRE><CODE>| tstats count where index=_* OR index=* BY host sourcetype index | append [YOUR SEARCH FOR CANONICAL LIST HERE] | stats values(*) AS * BY host </CODE></PRE> <P>Be aware that if you are doing <CODE>stats count</CODE> instead of <CODE>stats count(something)</CODE> you will have to do this at the end to get rid of the added non-data list:</P> <PRE><CODE>| eval count = count - 1 </CODE></PRE> Thu, 23 Mar 2017 15:02:32 GMT woodcock 2017-03-23T15:02:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371516#M109320 <P>I'm trying to get the usage of some values (say, xyz) by "stats count by xyz" where i am getting the results of xyz which has count greater than 0 like,<BR /> xyz | count <BR /> nasj | 10<BR /> asjn | 40<BR /> asjd | 23</P> <P>but i m also pretty sure where some values of xyz also has count 0. how do i get that ? should be like,<BR /> xyz | count <BR /> nasj | 10<BR /> asjn | 40<BR /> asjd | 23<BR /> ansj | 0<BR /> sfdn | 0</P> Thu, 23 Mar 2017 13:05:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371516#M109320 shaal89 2017-03-23T13:05:54Z https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371517#M109321 <P>One way to do this is if you pull, from somewhere, a list of all the values of xyz that you always want on the list. Then, you use sum() on a field with either a one (selected records) or a zero (all values to report) and it looks like this...</P> <PRE><CODE>...your search that gets all xyz records you want to count... | table xyz | eval mycount=1 | append [...your search that gets ALL xyz values that you want to report... | table xyz | eval mycount=0] | stats sum(mycount) as count by xyz </CODE></PRE> <P>So, here's a run-anywhere code sample demonstrating the technique with your fake data...</P> <PRE><CODE>| makeresults | eval xyz="nasj nasj nasj nasj nasj nasj nasj nasj nasj nasj asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd" | makemv xyz | mvexpand xyz | table xyz | eval mycount=1 | append [| makeresults | eval xyz="nasj asjn asjd ansj sfdn" | makemv xyz | mvexpand xyz | table xyz | eval mycount=0] | stats sum(mycount) as count by xyz </CODE></PRE> Thu, 23 Mar 2017 14:29:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371517#M109321 DalJeanis 2017-03-23T14:29:08Z https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371518#M109322 <P>You need source for a canonical list of "all the XYZ things". For simplicity, let's not use <CODE>xyz</CODE> but rather <CODE>host</CODE>.</P> <P>Let's assume you have the canonical list in a set of tags, then you can use this search to obtain it:</P> <PRE><CODE>| rest/servicesNS/-/-/configs/conf-tags | search YourTagNameHere=enabled | fields title | rex field=title mode=sed "s/host=//" | rename title AS host </CODE></PRE> <P>Let's assume it is in a CSV, then you can use this search to obtain it:</P> <PRE><CODE>| inputcsv MyCSV | table host </CODE></PRE> <P>In any case, once you have the search that generated the canonical list of hosts, you can do a search like this:</P> <PRE><CODE>YOUR DATA SEARCH HERE | append [YOUR SEARCH FOR CANONICAL LIST HERE] | stats values(*) AS * BY host </CODE></PRE> <P>You might start with a <CODE>tstats</CODE> search because it is so much more efficient:</P> <PRE><CODE>| tstats count where index=_* OR index=* BY host sourcetype index | append [YOUR SEARCH FOR CANONICAL LIST HERE] | stats values(*) AS * BY host </CODE></PRE> <P>Be aware that if you are doing <CODE>stats count</CODE> instead of <CODE>stats count(something)</CODE> you will have to do this at the end to get rid of the added non-data list:</P> <PRE><CODE>| eval count = count - 1 </CODE></PRE> Thu, 23 Mar 2017 15:02:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-also-include-the-values-which-has-stats-count-0-in-the/m-p/371518#M109322 woodcock 2017-03-23T15:02:32Z