https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196963#M187372 <P>Use "|join type=left commonField" instead on appendcols. Please post some sample query for full answer.</P> Thu, 06 Nov 2014 15:11:15 GMT somesoni2 2014-11-06T15:11:15Z https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196962#M187371 <P>i have 5 columns in my report. i am using appendcols to append columns (to get data of different time range). My report have 7 rows (static) and if the count is 0 for the second row, third row result is added into second row(so seventh row shows no data,as the count are showing in the second row even it is zero). <BR /> Please help me, as i tried wilth fillnull also..</P> Thu, 06 Nov 2014 15:08:40 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196962#M187371 harish_ka 2014-11-06T15:08:40Z https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196963#M187372 <P>Use "|join type=left commonField" instead on appendcols. Please post some sample query for full answer.</P> Thu, 06 Nov 2014 15:11:15 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196963#M187372 somesoni2 2014-11-06T15:11:15Z https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196964#M187373 <P>index=yyy sourcetype="xxx" "org.apache.axis2.AxisFault: Read timed out" OR "188~-230~no contained exception~Exception during" earliest=-9d@d latest=now| rex "Major org.apache.axis2.AxisFault: (?.<EM>)" | rex "188~-230~no contained exception~Exception during (?.</EM>) Error from sabre:"| |eval TimeStamp=tostring(strftime(_time,"%m/%d/%y - %H:%M:%S %p"))| stats first(TimeStamp) as "Last_Alert_Time" by Alert_Type </P> <P>|appendcols [search index=yyy sourcetype="xxx" "org.apache.axis2.AxisFault: Read timed out" OR "188~-230~no contained exception~Exception during" earliest=-0d@d latest=now| rex "Major org.apache.axis2.AxisFault: (?.<EM>)" | rex "188~-230~no contained exception~Exception during (?.</EM>) Error from sabre:"| stats count(Alert_Type) as "# of times occurred today" by Alert_Type ]</P> Mon, 28 Sep 2020 18:06:32 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196964#M187373 harish_ka 2020-09-28T18:06:32Z https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196965#M187374 <P>This is how my query looks...<BR /> i can write a common query or for seperate appendcols result</P> Thu, 06 Nov 2014 15:29:48 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196965#M187374 harish_ka 2014-11-06T15:29:48Z https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196966#M187375 <P>This is how it can be done. Assuming your static Alert_Type values are Alert1, Alert2,...Alert7, then try like this</P> <PRE><CODE>| gentimes start=-1 | eval Alert_Type="Alert1, Alert2, Alert3, Alert4, Alert5, Alert6, Alert7" | table Alert_Type | makemv Alert_Type delim="," | mvexpand Alert_Type | join type=left Alert_Type [search index=yyy sourcetype="xxx" "org.apache.axis2.AxisFault: Read timed out" OR "188~-230~no contained exception~Exception during" earliest=-9d@d latest=now| rex "Major org.apache.axis2.AxisFault: (?.)" | rex "188~-230~no contained exception~Exception during (?.) Error from sabre:"| |eval TimeStamp=tostring(strftime(_time,"%m/%d/%y - %H:%M:%S %p"))| stats first(TimeStamp) as "Last_Alert_Time" by Alert_Type ] | join type=left Alert_Type [search index=yyy sourcetype="xxx" "org.apache.axis2.AxisFault: Read timed out" OR "188~-230~no contained exception~Exception during" earliest=-0d@d latest=now| rex "Major org.apache.axis2.AxisFault: (?.)" | rex "188~-230~no contained exception~Exception during (?.) Error from sabre:"| stats count(Alert_Type) as "# of times occurred today" by Alert_Type ] | join type=left Alert_Type [search index=yyy sourcetype="xxx" "org.apache.axis2.AxisFault: Read timed out" OR "188~-230~no contained exception~Exception during" earliest=-5d@d latest=now| rex "Major org.apache.axis2.AxisFault: (?.)" | rex "188~-230~no contained exception~Exception during (?.) Error from sabre:"| stats count(Alert_Type) as "# of times occurred Last 5 DAys" by Alert_Type ] | join type=left Alert_Type [search index=yyy sourcetype="xxx" "org.apache.axis2.AxisFault: Read timed out" OR "188~-230~no contained exception~Exception during" earliest=-7d@d latest=now| rex "Major org.apache.axis2.AxisFault: (?.)" | rex "188~-230~no contained exception~Exception during (?.) Error from sabre:"| stats count(Alert_Type) as "# of times occurred Last 7 DAys" by Alert_Type ] | fillnull value=0 </CODE></PRE> Thu, 06 Nov 2014 16:24:45 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196966#M187375 somesoni2 2014-11-06T16:24:45Z https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196967#M187376 <P>Its Working <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thank You So much...<BR /> I replaced "appendcols" with "join type=left Alert_Type". And added " | fillnull value=0" in the end of my query to display zero.</P> Thu, 06 Nov 2014 19:00:57 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-display-0-if-the-count-is-0/m-p/196967#M187376 harish_ka 2014-11-06T19:00:57Z