topic Re: Display row, even when count over value is zero in Splunk Search

Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

Re: Display row, even when count over value is zero

JMFrank215 — Sun, 29 Nov 2020 00:58:37 GMT

I have the following search:

index=aa sourcetype="bb" Service="/abc" OR Service="/mno" OR Service="/xyz" | chart count over Service by ZCode | addtotals

This returns the count of ZCode across /abc, /mno, and/xyz. Example would look like this:

Service	200	400	500	504	Total
/abc	2	3	1	2	8
/mno	1	4	0	1	6
/xyz	4	0	5	2	11

The problem I'm facing is if the values for 200, 400, 500, and 504 are all zeros across one service, it will no longer display that service. Very new to Splunk but did a fair amount of research but could not find a solution. Thank you!

ITWhisperer — Sun, 29 Nov 2020 11:03:35 GMT

The reason you couldn't find a solution is that basically there is no (simple) solution. splunk reports what is there, not what is not there. If there are no entries for a service, let's say /abc, from your example, how does splunk know to report on it? What about service /cba or /nonexistent or /completelymadeup? In order for splunk to report on things it hasn't found events for, you need to add dummy events as part of your search. You can do this with append and makeresults or inputlookup or a join from a wider search where the services you are interested in did have events.

JMFrank215 — Mon, 30 Nov 2020 16:52:05 GMT

interesting, I would think it would still know to report on it because it is counting over all three of those services. That makes sense though. Anywhere you can point me to on how I would create dummy events for these services? Very very new to Splunk and this type of thing in general - everything I'm seeing and reading is a little overwhelming

bowesmana — Thu, 03 Dec 2020 04:54:22 GMT

@JMFrank215

It's not actually counting over anything, it's just looking at the data that exists as @ITWhisperer says.

There is no what to know that your search term is supposed to be interpreted as a 'service'.

The simplest thing to do is to add this before your addtotals

Clearly your service names are not real, so in practice, you would most likely have a CSV file with your expected service names in there and inside the append, you would have a

| inputlookup your_service_list.csv

which would contain a column called Service

JMFrank215 — Thu, 03 Dec 2020 22:48:41 GMT

Thank you, that explanation was really helpful. I tried adding what you suggested but even after playing around with some of the syntax, I am still getting "Error in 'eval' command: The arguments to the 'split' function are invalid." I can't seem to figure out why, maybe there's a small error in what I'm doing?

I can use my actual service names if that helps at all, was just being cautious about using actual information but can't imagine it matters at all. My search that returns the above error is below. It just has the three services called. Any input would be much appreciated

index=xx sourcetype="yy" Service="POST /loan/api/" OR Service="POST /credit/api/ OR Service="POST /transfer/api"

| chart count over Service by ZCode

| append [

| makeresults

| eval Service=split("POST /loan/api/", "POST /deposit/api/", "POST /transfer/api")

]

| stats values(*) as * by Service

| fillnull value=0

| addtotals

bowesmana — Fri, 04 Dec 2020 01:04:11 GMT

@JMFrank215

Your split statement is wrong. It takes 2 params

1=the string to split

2=the delimiter

So, all the service names should be in a single string separated by comma and the delimiter is ","

So, that is creating a multi-value field called Service in the appended row, which is then used in the stats aggregation.

JMFrank215 — Fri, 04 Dec 2020 02:19:49 GMT

Ah okay, I totally misinterpreted that part of your first response - still a novice. Seems to run correctly now but is there a way for it to only show those newly created services if there are no counts for the service? So would like for it to show the actual call counts for loan/api/ and /credit/api (rows 4 and 5) and then since there were no calls for /transfer/api/, display the newly created service for that (row 3). Not sure if that is too complicated or not possible? Table displayed is below, really appreciate all your help!

bowesmana — Sun, 06 Dec 2020 22:58:40 GMT

The table is not right in that it is not treating your POST /loan/api service (row 1) the same as your row 4. Looks like that's most likely because you have a space in front of the POST in your append split clause. Without the space you would only get 3 rows as it would treat 1+4 and 2+5 as the same services.

Service

POST /loan/api/

POST /credit/api/

POST /transfer/api

POST /loan/api/

POST /credit/api/

JMFrank215 — Mon, 07 Dec 2020 04:41:44 GMT

Yup, that did it. I missed that there couldn't be spaces between the services I wanted to split. Didn't realize Splunk was this strict, going to be tough to learn but hoping I get there eventually. Thanks so much for your help!