https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185737#M53522 <P>Generally you just add this:</P> <PRE><CODE>... | fillnull value=0 </CODE></PRE> <P>But it is hard to say because your question does not include your search and data examples.</P> Wed, 01 Jul 2015 14:23:45 GMT woodcock 2015-07-01T14:23:45Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185735#M53520 <P>How can I fill null value in the following result with desired value, e.g. 0:</P> <P>mysearch | stats count by host</P> <P>I would like to have the following result format</P> <P>host1 xx<BR /> host2 0 (which has the null result from the search)<BR /> host3 yy<BR /> host4 zz<BR /> host5 0 (which has the null result from the search)</P> <P>Any suggestions? Please help.</P> <P>Thanks</P> Wed, 01 Jul 2015 14:14:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185735#M53520 jgcsco 2015-07-01T14:14:04Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185736#M53521 <P>Do you want to exclude the null results from your search or fill them with 0? If the former then try isnotnull()</P> <P>Provide your search and clarification and I can help you out </P> Wed, 01 Jul 2015 14:22:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185736#M53521 skoelpin 2015-07-01T14:22:05Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185737#M53522 <P>Generally you just add this:</P> <PRE><CODE>... | fillnull value=0 </CODE></PRE> <P>But it is hard to say because your question does not include your search and data examples.</P> Wed, 01 Jul 2015 14:23:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185737#M53522 woodcock 2015-07-01T14:23:45Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185738#M53523 <P>Thanks for your quick response, I would like to include the null results and fill then with 0. Following is the search string:</P> <P>host=* "Error" |stats count by host</P> <P>Basically, I am search the log file on all the hosts to find out error messages, for the host that does not have any error, I would like to set the value with "0".</P> <P>Thanks,</P> Wed, 01 Jul 2015 14:27:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185738#M53523 jgcsco 2015-07-01T14:27:42Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185739#M53524 <P>Based on your clarification, you need this:</P> <PRE><CODE>index=* OR index=_* | stats count(eval(like(lower(_raw), "%error%"))) AS Errors by host </CODE></PRE> Wed, 01 Jul 2015 14:38:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185739#M53524 woodcock 2015-07-01T14:38:11Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185740#M53525 <P>Thanks woodcock. The only issue is that the log on each host is fairly large in terms of size, and the search here seem a bit inefficient, but it does provide the result I am looking for. </P> Wed, 01 Jul 2015 14:58:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185740#M53525 jgcsco 2015-07-01T14:58:13Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185741#M53526 <P>The most time spent is in the <CODE>lower</CODE> command so this should be faster:</P> <PRE><CODE> index=* OR index=_* | stats count(eval(match(_raw, "[eE][rR][rR][oO][rR]"))) AS Errors by host </CODE></PRE> Wed, 01 Jul 2015 15:15:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-the-null-values-in-search-results/m-p/185741#M53526 woodcock 2015-07-01T15:15:00Z