https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68424#M17144 <P>Hmm it looks like this only works, if your search returns at least one event....</P> Wed, 19 Jun 2013 15:37:13 GMT MuS 2013-06-19T15:37:13Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68419#M17139 <P>I have the following search:</P> <PRE><CODE>earliest=@d+11h latest=@d+22h index="daluat" Action="DAL*" | timechart span=30m count </CODE></PRE> <P>At the moment there are no results. And I get the "No results..." message. <BR /> But I want to see a 0 for every 30-minute timespan between 1100 and 2200. <BR /> How do I do this?</P> <P>If there was a single result I get the full table- but if there were results then an alert would not trigger.</P> <P>Thanks,<BR /> Matt</P> Wed, 19 Jun 2013 10:43:49 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68419#M17139 matthewcanty 2013-06-19T10:43:49Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68420#M17140 <P>Hi matthewcanty</P> <P>you can use fillnull on your search and you will get 0 for every empty field</P> <PRE><CODE>... | fillnull </CODE></PRE> <P>read more here <A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull">http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull</A></P> <P>cheers, MuS</P> Wed, 19 Jun 2013 13:02:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68420#M17140 MuS 2013-06-19T13:02:51Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68421#M17141 <P>MuS you beat me to it.</P> Wed, 19 Jun 2013 13:04:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68421#M17141 sdaniels 2013-06-19T13:04:12Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68422#M17142 <P>out luck /K was not around, he would have answered this loooong before us <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 19 Jun 2013 13:16:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68422#M17142 MuS 2013-06-19T13:16:56Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68423#M17143 <P>Doesn't work anyway guys.</P> Wed, 19 Jun 2013 13:31:03 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68423#M17143 matthewcanty 2013-06-19T13:31:03Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68424#M17144 <P>Hmm it looks like this only works, if your search returns at least one event....</P> Wed, 19 Jun 2013 15:37:13 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68424#M17144 MuS 2013-06-19T15:37:13Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68425#M17145 <P><A href="http://answers.splunk.com/answers/118496/fill-in-0-for-timechart-with-missing-values">http://answers.splunk.com/answers/118496/fill-in-0-for-timechart-with-missing-values</A></P> Thu, 13 Feb 2014 18:29:57 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68425#M17145 the_wolverine 2014-02-13T18:29:57Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68426#M17146 <P>Try this:</P> <P>earliest=@d+11h latest=@d+22h index="daluat" Action="DAL*" | append [| search | fields - * | eval count=0] | timechart span=30m count</P> Fri, 16 Jun 2017 02:54:20 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68426#M17146 splunk_kk 2017-06-16T02:54:20Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68427#M17147 <P>Yes, same thing is happening on my side. Fillnull is made for returning value for null attributes but the condition is to have at least a row of results. When there are no results at all, there is no fillnull working in that condition.</P> Mon, 17 Jun 2019 15:30:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68427#M17147 harry2007gsp 2019-06-17T15:30:43Z https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68428#M17148 <P>Greetings from the future,</P> <P>you can run a search like this:</P> <PRE><CODE>index=_internal | stats count by sourcetype | append [| stats count | eval sourcetype=if(isnull(sourcetype), "Nothing to see here, move along!", sourcetype)] | streamstats count AS line_num | eval head_num=if(line_num &gt; 1, line_num - 1, 1) | where NOT ( count=0 AND head_num &lt; line_num ) | table sourcetype count </CODE></PRE> <P>cheers, MuS</P> Tue, 18 Jun 2019 19:05:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-show-zero-when-no-results/m-p/68428#M17148 MuS 2019-06-18T19:05:22Z