https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645863#M223611 <P>Hi</P><P>have you try this <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makecontinuous" target="_self">makecontinuous</A>?</P><P>r. Ismo</P> Tue, 06 Jun 2023 07:24:05 GMT isoutamo 2023-06-06T07:24:05Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645168#M223408 <P>Original query:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=app-data sourcetype=clientapp-code |rex field=_raw "\Status\:(?&lt;Code&gt;.*?)\|" |eval Failed=if(Code!=0, "Failed", null()) |bucket _time span=1d |stats count(Failed) as Fail by _time </LI-CODE> <P>&nbsp;</P> <P><BR /><BR />OUTPUT:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="24px">_time</TD> <TD width="50%" height="24px">Fail</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-22</TD> <TD width="50%" height="24px">6</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-23</TD> <TD width="50%" height="24px">0</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-24</TD> <TD width="50%" height="24px">8</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-25</TD> <TD width="50%" height="24px">0</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-26</TD> <TD width="50%" height="24px">0</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-27</TD> <TD width="50%" height="24px">12</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-28</TD> <TD width="50%" height="24px">0</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-29</TD> <TD width="50%" height="24px">0</TD> </TR> </TBODY> </TABLE> <P><BR /><BR />tstats query:<BR /><BR /></P> <P>&nbsp;</P> <LI-CODE lang="markup">|tstats count where index=app-data sourcetype=clientapp-code by PREFIX(status:) _time span=1d |rename status: as Code |eval Failed=if(Code!=0, "Failed", null()) |where Code!=0 |stats values(count) by _time</LI-CODE> <P>&nbsp;</P> <P><BR /><BR /></P> <P>OUTPUT:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="24px">_time</TD> <TD width="50%" height="24px">Fail</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-22</TD> <TD width="50%" height="24px">6</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-24</TD> <TD width="50%" height="24px">8</TD> </TR> <TR> <TD width="50%" height="24px">2022-01-27</TD> <TD width="50%" height="24px">12</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I want to see original query&nbsp; output&nbsp; with tstats query but 0 data rows are not showing up in tstats command.<BR />How can i get the 0 data rows using tstats query???</P> Tue, 06 Jun 2023 13:08:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645168#M223408 Vani_26 2023-06-06T13:08:33Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645849#M223607 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248147">@Vani_26</a>&nbsp;- You forget to do | bucket in your second query.</P><P>Try adding either bucket or bin command before stats, similar to your first query.</P><P>&nbsp;</P><P>OR alternatively, you can use timechart command instead of the stats command.</P><LI-CODE lang="markup">| timechart span=1d sum(count) as Fail</LI-CODE><P>&nbsp;</P><P>I hope this helps!!!</P> Tue, 06 Jun 2023 06:09:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645849#M223607 VatsalJagani 2023-06-06T06:09:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645863#M223611 <P>Hi</P><P>have you try this <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makecontinuous" target="_self">makecontinuous</A>?</P><P>r. Ismo</P> Tue, 06 Jun 2023 07:24:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-0-data-rows-using-tstats-query/m-p/645863#M223611 isoutamo 2023-06-06T07:24:05Z