https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515545#M144759 <LI-CODE lang="markup">| tstats count where index=A OR index=B OR index=C | append [|makeresults | eval index=split("ABC",""), count=0 | mvexpand index| table index count] | dedup index | eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC") | table "Log Source" count</LI-CODE><P>your sample is "index=A" , so it's difficult to use split() for actually log, I guess. you can do it.</P> Fri, 21 Aug 2020 20:29:47 GMT to4kawa 2020-08-21T20:29:47Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515532#M144751 <P>I have a search using stats count but it is not showing the result for an index that has 0 results. There is two columns, one for Log Source and the one for the count.&nbsp; &nbsp;I'd like to&nbsp; show the count of EACH index, even if there is 0 result.&nbsp;</P><P>example</P><P>log source&nbsp; count<BR />A&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 20<BR />B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 10<BR />C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0</P><P>&nbsp;</P><LI-CODE lang="markup">index=A or index=B or index=C | eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC") | stats count by "Log Source"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Aug 2020 22:13:42 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515532#M144751 tromero3 2020-08-21T22:13:42Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515537#M144755 <P>fillnull</P> Fri, 21 Aug 2020 19:12:12 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515537#M144755 jorjiana88 2020-08-21T19:12:12Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515538#M144756 <P>already tried that, it doesn't work</P> Fri, 21 Aug 2020 19:19:14 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515538#M144756 tromero3 2020-08-21T19:19:14Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515545#M144759 <LI-CODE lang="markup">| tstats count where index=A OR index=B OR index=C | append [|makeresults | eval index=split("ABC",""), count=0 | mvexpand index| table index count] | dedup index | eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC") | table "Log Source" count</LI-CODE><P>your sample is "index=A" , so it's difficult to use split() for actually log, I guess. you can do it.</P> Fri, 21 Aug 2020 20:29:47 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515545#M144759 to4kawa 2020-08-21T20:29:47Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515549#M144760 <P>Im confused about the split part, is that just combining the name of each index into one? (where you put&nbsp;</P><LI-CODE lang="markup">("ABC","")</LI-CODE><P>&nbsp;And why is that part needed?</P><P>My index names are actually longer of course and with dashes in the name such as "first-index", "second-index', etc&nbsp;</P><P>Also the first part of my search is longer not just the individual index. But more like</P><LI-CODE lang="markup">(index=first-index event_type=security) OR (index=second-index rule_reason=IPblock)</LI-CODE><P>and so on...</P> Fri, 21 Aug 2020 21:01:26 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515549#M144760 tromero3 2020-08-21T21:01:26Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515550#M144761 <P>You asked what to do if you don't have index ABC, so I answered, but the conditions are totally different.</P><P>I can't answer this. Good luck.</P> Fri, 21 Aug 2020 21:06:54 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515550#M144761 to4kawa 2020-08-21T21:06:54Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515588#M144774 <P>Have you considered appending a dummy event for each log and then subtracting 1 from every count?</P> Sat, 22 Aug 2020 10:28:05 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515588#M144774 ITWhisperer 2020-08-22T10:28:05Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515621#M144779 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/39047">@tromero3</a>&nbsp;<BR /><BR />You can hard code the log source list to the end of your results.&nbsp; Using your initial example query something like this should work.</P><LI-CODE lang="markup">index=A or index=B or index=C | eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC") | stats count by "Log Source" `comment("# ensure all log sources listed")` | append [| makeresults | eval indexA="", indexB="", indexC="" | table indexA indexB indexC | transpose column_name="Log Source" ] | stats max(count) AS count BY "Log Source" | fillnull value=0 count</LI-CODE><P>&nbsp;Hope this helps.</P> Sun, 23 Aug 2020 06:53:07 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515621#M144779 yeahnah 2020-08-23T06:53:07Z https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515883#M144875 <P>wow that worked perfectly, thank you!&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Mon, 24 Aug 2020 20:08:44 GMT https://community.splunk.com/t5/Splunk-Search/Show-results-of-stats-count-when-result-is-0/m-p/515883#M144875 tromero3 2020-08-24T20:08:44Z