https://community.splunk.com/t5/Splunk-Search/Stats-not-returning-zero-counts/m-p/251329#M175874 <P>(Assuming you want zero counts for host) <BR /> You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this: </P> <PRE><CODE>| inputlookup interesting_hosts | fields host | join type=left host [ search index=xxx earliest=-60m | bucket _time span=3m | stats count by _time host IP ] | fillnull count value=0 </CODE></PRE> <P>If you want something more dynamic, you can search for the hosts first over a longer time range than your final search</P> <PRE><CODE>| tstats earliest=-30d count WHERE index=xxx by host | fields host | join type=left host [ search index=xxx earliest=-60m | bucket _time span=3m | stats count by _time host IP ] | fillnull count value=0 </CODE></PRE> Mon, 30 Jan 2017 12:51:51 GMT jplumsdaine22 2017-01-30T12:51:51Z https://community.splunk.com/t5/Splunk-Search/Stats-not-returning-zero-counts/m-p/251328#M175873 <P>index=xxx |bucket _time span=3m |stats count by _time host IP<BR /> We are using the above stats command to get count instead of timechart just because we have two by clause fields. We need help in returning Zero count as part of stats iteslf if there is no data available. </P> Tue, 24 Jan 2017 13:47:47 GMT https://community.splunk.com/t5/Splunk-Search/Stats-not-returning-zero-counts/m-p/251328#M175873 karthi2809 2017-01-24T13:47:47Z https://community.splunk.com/t5/Splunk-Search/Stats-not-returning-zero-counts/m-p/251329#M175874 <P>(Assuming you want zero counts for host) <BR /> You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this: </P> <PRE><CODE>| inputlookup interesting_hosts | fields host | join type=left host [ search index=xxx earliest=-60m | bucket _time span=3m | stats count by _time host IP ] | fillnull count value=0 </CODE></PRE> <P>If you want something more dynamic, you can search for the hosts first over a longer time range than your final search</P> <PRE><CODE>| tstats earliest=-30d count WHERE index=xxx by host | fields host | join type=left host [ search index=xxx earliest=-60m | bucket _time span=3m | stats count by _time host IP ] | fillnull count value=0 </CODE></PRE> Mon, 30 Jan 2017 12:51:51 GMT https://community.splunk.com/t5/Splunk-Search/Stats-not-returning-zero-counts/m-p/251329#M175874 jplumsdaine22 2017-01-30T12:51:51Z