topic Re: Display a result when the count =0 in Splunk Search

Display a result when the count =0

otman01 — Thu, 16 Apr 2015 08:20:14 GMT

Hi every one,
Whene I use the command count with Stats or chart, the result display just the events when count is greater than 0.
In my case I want to display 0 if the count = 0.
It is possible ?
Thank you for your help have a nice day 🙂

Re: Display a result when the count =0

srinathd — Thu, 16 Apr 2015 08:31:05 GMT

Hi.. stats will always show the count. if there are no events the result will show count as 0.

Re: Display a result when the count =0

MuS — Thu, 16 Apr 2015 08:39:26 GMT

Take a look at this answer http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html to get some more details about using stats count in such a use case.

Re: Display a result when the count =0

otman01 — Thu, 16 Apr 2015 09:18:46 GMT

this is my search query source="WinEventLog:*" | stats count by EventType
this is the resul of the search EventType count 0 --------------21 2 --------------11 3 ---------------1 4 --------------22 What I want is to display 2 other envents that are not listed in the result EventType1 and EventType5

Thank you

Re: Display a result when the count =0

sideview — Thu, 16 Apr 2015 15:51:35 GMT

Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.

The answer is a little weird. Here's your search with the real results from teh raw data.

source="WinEventLog:" | stats count by EventType

now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.

| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

Now all 5 EventTypes will be in the results regardless of their presence in the raw data.

Re: Display a result when the count =0

masonmorales — Thu, 16 Apr 2015 18:35:25 GMT

Cool question. I can answer if you can fill in a couple blanks for me:
What app are you using? (search?)
Are the eventtypes shared or private? If shared, are they shared in app or globally?

Re: Display a result when the count =0

masonmorales — Thu, 16 Apr 2015 18:36:19 GMT

Also is EventType a field you created or an actual "event type" knowledge object? (http://docs.splunk.com/Splexicon:Eventtype)

Re: Display a result when the count =0

otman01 — Fri, 17 Apr 2015 07:40:40 GMT

Thank you for your response.
* so, EventType is a field we can say that is a GameCategory for example.
* Yes, I use searche app.

Re: Display a result when the count =0

otman01 — Fri, 17 Apr 2015 08:37:38 GMT

thank you for your response but the result given by the request is wrong 😞

Re: Display a result when the count =0

sideview — Fri, 17 Apr 2015 15:09:24 GMT

That is odd. In case you read too fast and just pasted in the part starting with append, the full query is:

source="WinEventLog:" | stats count by EventType | append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

it will give you exactly what you are asking for.

Re: Display a result when the count =0

otman01 — Mon, 20 Apr 2015 07:46:53 GMT

Thank you for your response, it didn't give me the rigth result because I had a mistake in my source ., It was my fault.
Now it works perfectly thank you sideview have a nice day