topic how to get data as per _time when count is 0 in Splunk Search

how to get data as per _time when count is 0

Learner — Tue, 20 Apr 2021 12:07:56 GMT

index=dummy <mySearchCondition>| search response_code1!=200| stats count

when i search for this query i get output as 0 in count column. but when i try this query:

index=dummy <mysearchCondition> | bin _time span=1d |eval Time=strftime(_time , "%d/%m/%Y %H:%M")| search response_code1!=200| stats count by Time

expected ans for this:

Time	count
2021-04-20 04:36	0

i'm not able to see any output. what to do?

Re: how to get data as per _time when count is 0

ITWhisperer — Tue, 20 Apr 2021 12:55:51 GMT

bin _time span=1d

Snaps all values of _time to the start of day i.e. 00:00 so you will not see 04:36. Also, the time format you seem to be expecting is not the format you have used for Time. Apart from that, you should get counts for the days present in your search, except when you have removed all the events for any particular day. The stats are grouped by Time and there are no values for Time once you have filtered out all the response_code1=200