https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566343#M197374 <P>I don't know if there's a FAQ here, but this kind of question should definitely be there (I answered similar one few days ago).</P><P>Splunk's works by passing from each step to the next one a set of records (events, stats). But it doesn't know where this data comes from (what was the command which resulted in this data).</P><P>So if you tell it to search for events fulfilling a given set of conditions during given timerange, it does so. But if some of those conditions can't be fulfilled, they simply don't produce any events but splunk doesn't know further down the road what the conditions were.</P><P>Thus if you want to have the rows saying that some hosts have 0 stats, you have to prepare such records yourself.</P><P>See <A href="https://community.splunk.com/t5/Splunk-Search/Need-to-display-count-having-zero-events/m-p/565220" target="_blank">https://community.splunk.com/t5/Splunk-Search/Need-to-display-count-having-zero-events/m-p/565220</A></P> Wed, 08 Sep 2021 17:14:59 GMT PickleRick 2021-09-08T17:14:59Z https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566336#M197371 <P>Hi Team,</P><P>I am trying to fetch the count and percentage of hosts having success and failures along with failure percentage.</P><P>host =<BR />Server1<BR />Server2<BR />Server3<BR />Server4<BR />Server5</P><P><BR />But if count of spcecific host is having no event, I want to show that as well even with result =0.</P><P>I am running below query but it is missing some servers because there are no events on specific sevrers form last 2 hours.</P><P>index=server_list host IN (Server1,Server2,Server3,Server4,Server5) events_status = "*"<BR />| eval pass=if(like(event_status,"20%"),1,0)<BR />| eval fail=if(!like(event_status,"20%"),1,0)<BR />| stats count as Overall_Volume,sum(pass) as Passed, sum(fail) as Failed by host<BR />| eval Failure_Rate=round(Failed_Requests/(Passed_Requests+Failed_Requests)*100,2)<BR />| fillnull value=0</P><P>Below result I am getting, because Server4 and Server5 dont have any traffic from last 2 Hours -</P><P>host&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Overall_Volume Passed Failed Failure_Rate<BR />Server1&nbsp; &nbsp; &nbsp; &nbsp;2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 50<BR />Server2&nbsp; &nbsp; &nbsp; 10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 40<BR />Server3&nbsp; &nbsp; &nbsp; &nbsp;1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 100</P><P>&nbsp;</P><P>Can anyone help in query so that I should get all Servers with values as 0 if no traffic.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Sep 2021 16:45:33 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566336#M197371 sahil237888 2021-09-08T16:45:33Z https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566343#M197374 <P>I don't know if there's a FAQ here, but this kind of question should definitely be there (I answered similar one few days ago).</P><P>Splunk's works by passing from each step to the next one a set of records (events, stats). But it doesn't know where this data comes from (what was the command which resulted in this data).</P><P>So if you tell it to search for events fulfilling a given set of conditions during given timerange, it does so. But if some of those conditions can't be fulfilled, they simply don't produce any events but splunk doesn't know further down the road what the conditions were.</P><P>Thus if you want to have the rows saying that some hosts have 0 stats, you have to prepare such records yourself.</P><P>See <A href="https://community.splunk.com/t5/Splunk-Search/Need-to-display-count-having-zero-events/m-p/565220" target="_blank">https://community.splunk.com/t5/Splunk-Search/Need-to-display-count-having-zero-events/m-p/565220</A></P> Wed, 08 Sep 2021 17:14:59 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566343#M197374 PickleRick 2021-09-08T17:14:59Z https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566751#M197503 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;-</P><P>this query is giving 0 for each server even if there is traffic on that server.</P><P>Can you suggest any other query?</P> Sun, 12 Sep 2021 16:42:41 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566751#M197503 sahil237888 2021-09-12T16:42:41Z https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566753#M197504 <P>Well, of course the query on its own will give you results of 0. You have to append your own results and sum them up. That's the point.</P> Sun, 12 Sep 2021 18:00:35 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-fetch-result-of-hosts-which-are-not-having-any/m-p/566753#M197504 PickleRick 2021-09-12T18:00:35Z