topic How to create a search to show value of fields as Zero having null values and for numeric exact count? in Splunk Search

How to create a search to show value of fields as Zero having null values and for numeric exact count?

sahil237888 — Thu, 03 Aug 2023 20:52:46 GMT

Need help in creating splunk query to show value of fields as Zero having null values and for numeric it should show exact count.

For example -
I want to search for all the events if all fields having specific keywords I am searching.

And for the others, if that keyword is not available in that field value , then it should as 0 count

Re: Splunk query to show value of fields as Zero having null values and for numeric it should show exact count

ITWhisperer — Thu, 27 Jul 2023 17:50:19 GMT

This is a bit too generic - please can you give some more concrete examples of the events you want to show and the ones you want to hide?

Re: Splunk query to show value of fields as Zero having null values and for numeric it should show exact count

sahil237888 — Thu, 03 Aug 2023 09:41:34 GMT

@ITWhisperer - Basically my requirement is - I have 50 hosts in host field.
So, I need to search for count of "error" keyword in my host list.
If there is a count then it should show the exact count in front of that host , else it should show 0 in parallel to that host.

For, E.g - I run below query -

index=server_data host IN (server1,server2.....server50) "warning_found"
Then it should show the count of "warning_found" for a specific host. else it should show 0 in parallel to that specific hos

Re: Splunk query to show value of fields as Zero having null values and for numeric it should show exact count

ITWhisperer — Thu, 03 Aug 2023 09:58:53 GMT

It has been said many times before, finding something that doesn't exist is not one of Splunk's strengths.

You could append additional events with zero counts for all the hosts you are interested in, then sum the counts by host.