https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748072#M241945 <P>Hello,</P><P>with this query :</P><P>index=abc<BR />| search source = "xyz"<BR />| stats count by source</P><P>I can see the count of sources having count more than 0.&nbsp;<BR />But I cant manage to get the ones with 0 count.&nbsp;<BR />Anyone able to help me please ?&nbsp;</P><P>Thank you&nbsp;</P> Tue, 17 Jun 2025 06:54:15 GMT av3rag3 2025-06-17T06:54:15Z https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748072#M241945 <P>Hello,</P><P>with this query :</P><P>index=abc<BR />| search source = "xyz"<BR />| stats count by source</P><P>I can see the count of sources having count more than 0.&nbsp;<BR />But I cant manage to get the ones with 0 count.&nbsp;<BR />Anyone able to help me please ?&nbsp;</P><P>Thank you&nbsp;</P> Tue, 17 Jun 2025 06:54:15 GMT https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748072#M241945 av3rag3 2025-06-17T06:54:15Z https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748075#M241946 <P class="lia-align-left">Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310987">@av3rag3</a>&nbsp;,</P><P class="lia-align-left">at first, don't use the search command after the main search because you'll have slower searches: put all the search terms as left as possible, possibly in the main search.</P><P class="lia-align-left">Then, why do you use the source as BY clausein stats command, if you always have only one source?</P><P class="lia-align-left">In general, without the condition source="xyz", it's normal that you haven't the results of source=0 because you don't have them from the search.</P><P class="lia-align-left">If you have a list of the sources to monitor, you could insert them in a lookup and add them to the search with count=0, something like this:</P><LI-CODE lang="markup">index=abc | stats count by source | append [ | inputlookup my_source_lookup.csv | eval count=0 | fields source count ] | stats sum(count) AS total BY source</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 17 Jun 2025 07:06:49 GMT https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748075#M241946 gcusello 2025-06-17T07:06:49Z https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748081#M241947 <P>I would suggest a slightly optimal version that does not use the subsearch</P><LI-CODE lang="markup">index=abc | stats count by source | inputlookup append=t my_source_lookup.csv | fillnull count | stats sum(count) AS total BY source</LI-CODE><P>&nbsp;</P> Tue, 17 Jun 2025 07:37:18 GMT https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748081#M241947 bowesmana 2025-06-17T07:37:18Z https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748872#M242060 <P>To concur with the above answers, you would have to utilize a lookup file that lists out all of the sources you want to monitor.</P><P>Natively, Splunk does not have a source = 0 events. (it doesn't know what it doesn't know).</P><P>In the environment we work in, we apply a siar approach but its based on host and whether the sources are coming in or not for our customers.</P><LI-CODE lang="markup">| tstats values(source) as source, values(sourcetype) as sourcetype WHERE index=[index] [ | inputlookup [myHostLookup].csv | fields host ] by host | stats count, values(sourcetype) as sourcetype, values(source) as source by host | eval Reporting=if(isnull(source), "No Matching Sources", "Yes") | table host, Reporting, source, sourcetype</LI-CODE><P>---<BR />If this reply helps you, Karma would be appreciated.</P> Fri, 27 Jun 2025 13:45:50 GMT https://community.splunk.com/t5/Splunk-Search/0-counts/m-p/748872#M242060 antoniolamonica 2025-06-27T13:45:50Z