https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/563949#M196445 <P>Hi Experts,</P><P>I have a requirement to in which a table is ingested to Splunk. And the table has a field named Time showing timestamp as "YYYY-MM-DD HH:MM:SS:milisec". Data ingestion is happening without any issues. When I tried to show the count of events in a particular day</P><P>1. With stats command, the count is is matching with source, but there are times when there is no event happens in source system and that day count is not showing as 0 in Splunk, its just ignored.</P><P>2. With time command, Splunk takes the ingested timestamp of the event and not the timestamp in the event, and the count is not matching. Whereas, here when there is no data gets ingested, the count is showing as 0.</P><P>Please help me with this issue, where the count should be calculated with the field Time and in case if there is no event for a day, that should get displayed as 0. I'm trying to show the data in a bar chart.</P><P>&nbsp;</P><P>Any help is much appreciated. Thanks.</P><P>Regards, Karthikeyan.SV</P> Thu, 19 Aug 2021 12:34:57 GMT Karthikeyan 2021-08-19T12:34:57Z https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/563949#M196445 <P>Hi Experts,</P><P>I have a requirement to in which a table is ingested to Splunk. And the table has a field named Time showing timestamp as "YYYY-MM-DD HH:MM:SS:milisec". Data ingestion is happening without any issues. When I tried to show the count of events in a particular day</P><P>1. With stats command, the count is is matching with source, but there are times when there is no event happens in source system and that day count is not showing as 0 in Splunk, its just ignored.</P><P>2. With time command, Splunk takes the ingested timestamp of the event and not the timestamp in the event, and the count is not matching. Whereas, here when there is no data gets ingested, the count is showing as 0.</P><P>Please help me with this issue, where the count should be calculated with the field Time and in case if there is no event for a day, that should get displayed as 0. I'm trying to show the data in a bar chart.</P><P>&nbsp;</P><P>Any help is much appreciated. Thanks.</P><P>Regards, Karthikeyan.SV</P> Thu, 19 Aug 2021 12:34:57 GMT https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/563949#M196445 Karthikeyan 2021-08-19T12:34:57Z https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/564003#M196461 <P>The <FONT face="courier new,courier">stats</FONT> command counts events.&nbsp; If data from a certain source is absent then it is not counted.</P><P>The <FONT face="courier new,courier">timechart</FONT> command also counts events, but will automatically (unless told otherwise) fill in zeroes for time periods with no data.&nbsp; Again, if a source is completely absent then it cannot be counted.</P><P>The <FONT face="courier new,courier">timechart</FONT> command requires the _time field for it to work.&nbsp; You can, however, set _time to any other field you have.</P><LI-CODE lang="markup">... | eval _time=Time | timechart count by source</LI-CODE><P>&nbsp;</P> Thu, 19 Aug 2021 23:57:40 GMT https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/564003#M196461 richgalloway 2021-08-19T23:57:40Z https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/564092#M196490 <P>Hi,</P><P>We use below search query to find the count</P><P>index="index" sourcetype="source_events"<BR />| eval time=strptime(TIME,"%Y-%m-%d %H:%M:%S.%Q")<BR />| eval date = strftime(time,"%Y-%m-%d")<BR />|timechart span=1d count(date)</P><P>&nbsp;</P><P>When I tried with the provided search command, didn't get the output.</P> Fri, 20 Aug 2021 13:16:50 GMT https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/564092#M196490 Karthikeyan 2021-08-20T13:16:50Z https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/564093#M196491 <P>Since this is ingested as a table, no new source are generated and hence we could see not count values. Apart from time field, there are other unique fields such as EXECUTION_HASH, EXECUTION_ID, with which I tried to do a count, but couldn't get desired result.<BR /><BR />Search query:<BR />| eval _time=TIME<BR />| timechart count by EXECUTION_ID</P> Fri, 20 Aug 2021 13:27:31 GMT https://community.splunk.com/t5/Splunk-Search/Show-count-by-a-field-value/m-p/564093#M196491 Karthikeyan 2021-08-20T13:27:31Z