topic Re: How to search all events and corresponding volume, but display the volume as "0" for missing events? in Splunk Search

How to search all events and corresponding volume, but display the volume as "0" for missing events?

nasamajh09 — Sun, 19 Jun 2016 19:01:56 GMT

I'm search to fetch the volume against different events in a given time frame. The problem I'm running into is that if one or more of those events that did not process any records during that time frame, they do not show up in the output. What search should I use to display volume as 0 with those missing events? Missing events should display with volume as 0 in the search output. Any help will be appreciated ..

Re: How to search all events and corresponding volume, but display the volume as "0" for missing events?

MuS — Sun, 19 Jun 2016 20:50:12 GMT

Hi nasamajh09,

take a look at this answer https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html which show a way how to do it.
In your case you could do something like this:

your base search here to get all events
| eval volume=if(isnotnull(volume), volume, "0")
| do more stuff here

This will search in your events for the field volume and if it is not null it will uses the value of volume otherwise it will be set to 0.

Hope this helps ...

cheers, MuS

Re: How to search all events and corresponding volume, but display the volume as "0" for missing events?

nasamajh09 — Mon, 20 Jun 2016 03:26:18 GMT

Thank You MuS for your answer but it won't work because if there is no logs for any event ,event name will not appear while searching ,so no point of using isnotnull.

Re: How to search all events and corresponding volume, but display the volume as "0" for missing events?

MuS — Mon, 20 Jun 2016 07:07:29 GMT

Indeed, my answer was not complete. Refere to the other answer and follow the three steps after the base search and you should get it working.