https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463983#M130796 <P>This should be a trivial thing, but I'm having a hard time figuring out how to do it in Splunk: how do I use a default value for a key?</P> <P>Here's an example: suppose I'm interested in HTTP status codes, so I do something like<BR /> <CODE><BR /> index=whatever "HTTP/1.1"<BR /> | top status_code<BR /> </CODE><BR /> If there are no 5xx errors, I'd like this to return "0%"; otherwise, return the % of 5xx errors.</P> <P>This should be trivial no?</P> <P>In SQL, I guess the way I'd do this is to have some table on the left side of a join, containing every possible HTTP status code. Then <CODE>LEFT OUTER JOIN</CODE> to a table that generates actual percentages by error code, and use <CODE>COALESCE()</CODE> to return a zero if there's nothing on the right side corresponding to that status code. What's the Splunk equivalent?</P> Mon, 26 Aug 2019 18:05:31 GMT shulmaniel 2019-08-26T18:05:31Z https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463983#M130796 <P>This should be a trivial thing, but I'm having a hard time figuring out how to do it in Splunk: how do I use a default value for a key?</P> <P>Here's an example: suppose I'm interested in HTTP status codes, so I do something like<BR /> <CODE><BR /> index=whatever "HTTP/1.1"<BR /> | top status_code<BR /> </CODE><BR /> If there are no 5xx errors, I'd like this to return "0%"; otherwise, return the % of 5xx errors.</P> <P>This should be trivial no?</P> <P>In SQL, I guess the way I'd do this is to have some table on the left side of a join, containing every possible HTTP status code. Then <CODE>LEFT OUTER JOIN</CODE> to a table that generates actual percentages by error code, and use <CODE>COALESCE()</CODE> to return a zero if there's nothing on the right side corresponding to that status code. What's the Splunk equivalent?</P> Mon, 26 Aug 2019 18:05:31 GMT https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463983#M130796 shulmaniel 2019-08-26T18:05:31Z https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463984#M130797 <P>You can do the same in Splunk by creating a lookup table that contains all the HTTP code you are interested in. </P> <P>index=whatever "HTTP/1.1"<BR /> | stats count by status_code<BR /> | inputlookup YourLookupFile <BR /> | stats sum(count) as count by status_code<BR /> | fillnull value=0 count</P> <P>The end results, will be a list of all status_codes with their counts, code with no count will show 0</P> Wed, 30 Sep 2020 01:55:49 GMT https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463984#M130797 solarboyz1 2020-09-30T01:55:49Z https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463985#M130798 <P>This is the <CODE>Sentinel Search</CODE> problem discussed (with solution) here:</P> <P><A href="https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf">https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf</A></P> Mon, 26 Aug 2019 18:26:59 GMT https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463985#M130798 woodcock 2019-08-26T18:26:59Z https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463986#M130799 <P>This may help you to convert your sql query to spl.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/SQLtoSplunk">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/SQLtoSplunk</A></P> Mon, 26 Aug 2019 18:30:30 GMT https://community.splunk.com/t5/Splunk-Search/Default-value-for-stats-count-or-top/m-p/463986#M130799 mayurr98 2019-08-26T18:30:30Z