https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47744#M11393 <P>Need some help adding a 0 count at search time.</P> <P>I have a log that contains the execution duration of a code function.<BR /> Using stats I can count the number of times the function took<BR /><BR /><BR /> |stats count by functionDuration</P> <P>functionDuration|count<BR /><BR /> 120|1<BR /><BR /> 122|2<BR /><BR /> 123|1<BR /><BR /> 124|5<BR /><BR /> 130|10<BR /><BR /> 132|8<BR /><BR /> <BR /><BR /> From this the functionDuration took 120 1 time, 122 2 times, etc...</P> <P>I would like to show a count of 0 for the missing functionDuration times.</P> <P>functionDuration|count<BR /><BR /> 120|1<BR /><BR /> 121|0<BR /><BR /> 122|2<BR /><BR /> 123|1<BR /><BR /> 124|5<BR /><BR /> 125|0<BR /><BR /> 126|0<BR /><BR /> 127|0<BR /><BR /> 128|0<BR /><BR /> 129|0<BR /><BR /> 130|10<BR /><BR /> 131|0<BR /><BR /> 132|8<BR /></P> <P>I searched around and couldn't find answer.<BR /> Thanks for any help.</P> Thu, 10 May 2012 01:36:33 GMT johnmca 2012-05-10T01:36:33Z https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47744#M11393 <P>Need some help adding a 0 count at search time.</P> <P>I have a log that contains the execution duration of a code function.<BR /> Using stats I can count the number of times the function took<BR /><BR /><BR /> |stats count by functionDuration</P> <P>functionDuration|count<BR /><BR /> 120|1<BR /><BR /> 122|2<BR /><BR /> 123|1<BR /><BR /> 124|5<BR /><BR /> 130|10<BR /><BR /> 132|8<BR /><BR /> <BR /><BR /> From this the functionDuration took 120 1 time, 122 2 times, etc...</P> <P>I would like to show a count of 0 for the missing functionDuration times.</P> <P>functionDuration|count<BR /><BR /> 120|1<BR /><BR /> 121|0<BR /><BR /> 122|2<BR /><BR /> 123|1<BR /><BR /> 124|5<BR /><BR /> 125|0<BR /><BR /> 126|0<BR /><BR /> 127|0<BR /><BR /> 128|0<BR /><BR /> 129|0<BR /><BR /> 130|10<BR /><BR /> 131|0<BR /><BR /> 132|8<BR /></P> <P>I searched around and couldn't find answer.<BR /> Thanks for any help.</P> Thu, 10 May 2012 01:36:33 GMT https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47744#M11393 johnmca 2012-05-10T01:36:33Z https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47745#M11394 <P>Maybe this one could help with some inspiration? <A href="http://splunk-base.splunk.com/answers/23839/include-zero-count-in-stats-count">http://splunk-base.splunk.com/answers/23839/include-zero-count-in-stats-count</A></P> Thu, 10 May 2012 21:56:21 GMT https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47745#M11394 Ayn 2012-05-10T21:56:21Z https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47746#M11395 <P>It would be nice if you could just have a command called like <CODE>generateRows rows=N</CODE> that would generate a result set with N rows. </P> <P>However we can hack one together ourselves using a search for the 1000 most recent events in the last 30 days. </P> <P><CODE>&lt;search terms&gt; | stats count by functionDuration | append [| search index=* OR index=_internal earliest=-30d | head 1000 | fields - * | fields - _* | streamstats count | rename count as functionDuration | eval count=0] | stats sum(count) as count by functionDuration | sort functionDuration</CODE></P> <P>The basic idea is, use our weird subsearch hack to append 1000 rows, with every functionDuration value from 1-1000 represented. Then when we wash the original "real" events together with the fake events, through `| stats sum(count) as count by functionDuration), suddenly we'll have every functionDuration value from 1-1000 represented... </P> <P>Alternates: <BR /> 1) Instead of the weird <CODE>index=* OR index=_*</CODE> search, you could also just use a csv in /var/run/dispatch that has 1000 rows in it.<BR /><BR /> 2) Or you could do the trick in that other answer, where you do <CODE>| eval foo="1,2,3,4,5,6,7,8,..." | eval foo=split(foo,",") | mvexpand foo</CODE>, but I'm not sure those commands will be overjoyed at expanding out to thousands of rows... You might hit a limit around 100 or a couple hundred. </P> Fri, 11 May 2012 00:01:51 GMT https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47746#M11395 sideview 2012-05-11T00:01:51Z https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47747#M11396 <P>Thanks - this worked great to fill in all the 0 for my missing values.</P> Tue, 14 Jan 2014 05:25:20 GMT https://community.splunk.com/t5/Splunk-Search/Add-0-Count/m-p/47747#M11396 the_wolverine 2014-01-14T05:25:20Z