https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161188#M45600 <P>Okay, best thing to do in this case: contact the author of the app over the app page at splunkbase. <BR /> But to test a value you can use the <CODE>isnum()</CODE> function with <CODE>eval</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions</A></P> <PRE><CODE>isnum(X) This function takes one argument X and returns TRUE if X is a number. ... | eval n=if(isnum(field),"yes","no") or ... | where isnum(field) </CODE></PRE> Tue, 16 Jun 2015 02:58:59 GMT MuS 2015-06-16T02:58:59Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161180#M45592 <P>My specific example is regarding an Active Directory index. This is my basic query;</P> <PRE><CODE>index="ad_test" objectClass="*computer*" cn="workstation" | dedup cn | stats count by name lastLogonTimestamp distinguishedName </CODE></PRE> <P>This returns no results. However when manually searching in Active Directory; The object is there. I ran the following to verify the event was in the index;</P> <PRE><CODE>index="ad_test" objectClass="*computer*" cn="workstation" | dedup cn </CODE></PRE> <P>The event exists in the index. However, the event does not have a 'lastLogonTiemstamp' because the object was created manually in Active Directory and the workstation itself never authenticated, or logged on to the domain.</P> <P>Active Directory aside; The stats command does not return events when a field in the stats query does not exist. How do I compensate for this?</P> Fri, 21 Feb 2014 14:29:02 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161180#M45592 mcrawford44 2014-02-21T14:29:02Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161181#M45593 <P>Hi mcrawford44,</P> <P>you could create dummy values for the field if the field does not exists, something like this should work:</P> <PRE><CODE> ... | eval foo="N/A" | eval lastLogonTimestamp=coalesce(lastLogonTimestamp,foo) | .. </CODE></PRE> <P>this will take <CODE>lastLogonTimestamp</CODE> if it exists or <CODE>foo</CODE> if <CODE>lastLogonTimestamp</CODE> does not exist.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Fri, 21 Feb 2014 14:49:46 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161181#M45593 MuS 2014-02-21T14:49:46Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161182#M45594 <P>Using;</P> <P>index="ad_test" objectClass="<EM>computer</EM>" cn="workstation" | dedup cn | eval name=upper(cn) | eval lastLogonTimestamp=if(isnull(lastLogonTimestamp), "N/A" , lastLogonTimestamp) | stats count by name lastLogonTimestamp distinguishedName</P> <P>No results returned unfortunately. I'll mess with it a bit unless you see something glaringly wrong. TO clarify, the field is not empty or NULL. It simply has not been instantiated on the object. The field literally does not exist.</P> Fri, 21 Feb 2014 15:13:43 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161182#M45594 mcrawford44 2014-02-21T15:13:43Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161183#M45595 <P>Perfect! This worked. You may want to update the parent answer as reference for other viewers.</P> Fri, 21 Feb 2014 18:41:03 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161183#M45595 mcrawford44 2014-02-21T18:41:03Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161184#M45596 <P>Answer updated, feel free to accept the answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 21 Feb 2014 21:42:26 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161184#M45596 MuS 2014-02-21T21:42:26Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161185#M45597 <P>I am stumped by this problem too. The coalesce method doesn't seem to work for me. </P> <P>I have deleted my index and recreated. At the most fundamental level, this search <BR /> index=summarytimingsindex SqlTime &gt; 0<BR /> Returns results. SqlTime is a numeric field. But as soon as I attempt any stats (or chart etc), including by adding them from the pop up on the selected field, I get no results returned. I am trying to get avg(SqlTime) but nothing I can do seems to work for this.</P> Tue, 16 Jun 2015 02:17:56 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161185#M45597 anthonyhall 2015-06-16T02:17:56Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161186#M45598 <P>could it be it is a multi value field? Are you sure about the numeric field?</P> Tue, 16 Jun 2015 02:49:38 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161186#M45598 MuS 2015-06-16T02:49:38Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161187#M45599 <P>It has a # next to its name in the list of selected fields. How else would I tell? Sorry, I am very new to Splunk, and trying to run a canned app which comes with no support and just dreadful documentation, so I am trying to work out why nothing works.</P> Tue, 16 Jun 2015 02:52:19 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161187#M45599 anthonyhall 2015-06-16T02:52:19Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161188#M45600 <P>Okay, best thing to do in this case: contact the author of the app over the app page at splunkbase. <BR /> But to test a value you can use the <CODE>isnum()</CODE> function with <CODE>eval</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions</A></P> <PRE><CODE>isnum(X) This function takes one argument X and returns TRUE if X is a number. ... | eval n=if(isnum(field),"yes","no") or ... | where isnum(field) </CODE></PRE> Tue, 16 Jun 2015 02:58:59 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161188#M45600 MuS 2015-06-16T02:58:59Z https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161189#M45601 <P>Hi MuS, thanks for taking the time to help. The field is definitely a number based on the result of the above.<BR /><BR /> The app didn't come from the splunkbase. It came from an enterprise software vendor, and it explicitly comes with no support from them. Very unprofessional of them, I know.</P> Tue, 16 Jun 2015 03:05:31 GMT https://community.splunk.com/t5/Splunk-Search/Stats-command-returning-no-results-if-field-does-not-exist/m-p/161189#M45601 anthonyhall 2015-06-16T03:05:31Z