topic Re: How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"? in Splunk Search

How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

burwell — Thu, 27 Oct 2016 02:06:20 GMT

I have a search to create a summary index which runs every 15 minutes:

 index=foo "myerror" | bin span=15m _time |  sistats count by _time

I'd like to have 0 in my summary search when there are no events matching "myerror".

How do I do that?

Re: How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

jkat54 — Thu, 27 Oct 2016 02:38:24 GMT

See if this works: Change it from sistats to stats and use the collect command..,

 ... | stats count by _time | collect index=summary

Re: How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

burwell — Thu, 27 Oct 2016 05:59:12 GMT

Thanks but that didn't do it. I don't get data when I have no events.

Re: How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

somesoni2 — Thu, 27 Oct 2016 16:16:09 GMT

Give this a try

  index=foo "myerror" | bin span=15m _time |  sistats count by _time | appendpipe [| stats count | where count=0 | addinfo  | eval _time=info_min_time| bucket span=15m _time | table _time count | sistats count by _time ]

Re: How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

burwell — Sun, 30 Oct 2016 02:33:09 GMT

I tried this (I am getting rid of the bin span)... this works except when there are no errors then it says 1 instead of 0.

I tried adding eval count=count-1 in the appendpipe clause but could not get this to give me zero.

index=foo "myerror" | sistats count |appendpipe [| stats count | where count=0 | addinfo  | eval _time=info_min_time|  table _time count |  sistats count    ]