https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320441#M95767 <P>This works great, thank you very much!</P> Fri, 06 Apr 2018 05:29:36 GMT bntdumas 2018-04-06T05:29:36Z https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320437#M95763 <P>Hello,</P> <P>I'm trying to get the sum of days where no events occurred by a city name.</P> <P>I found the following answer (<A href="https://answers.splunk.com/answers/29371/find-days-with-no-events.html">https://answers.splunk.com/answers/29371/find-days-with-no-events.html</A>) that uses timechart to handle days without events:</P> <PRE><CODE>sourcetype=foo | timechart count span=1d by city </CODE></PRE> <P>which gives me the following table:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="table"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4721i4F71DBA7A559E2CC/image-size/large?v=v2&amp;px=999" role="button" title="table" alt="table" /></span></P> <P>I feel like I'm getting closer to the solution but what i would like is to know how many days don't have events, in our example that would be:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4722i6DF626315EFFBB00/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How could I solve this? </P> <P>Thanks in advance!<BR /> Benoit</P> Thu, 05 Apr 2018 05:47:00 GMT https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320437#M95763 bntdumas 2018-04-05T05:47:00Z https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320438#M95764 <PRE><CODE>|where count=0 </CODE></PRE> <P>Append this to your query and try</P> Thu, 05 Apr 2018 05:52:10 GMT https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320438#M95764 splunker12er 2018-04-05T05:52:10Z https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320439#M95765 <P>try putting this at the end of your search:</P> <PRE><CODE>|foreach * [eval &lt;&lt;FIELD&gt;&gt;_0=if('&lt;&lt;FIELD&gt;&gt;'=0,1,0)|fields - date_0]|appendpipe [|stats sum(*_0) as *|eval date="Days at 0"]|fields - *_0 </CODE></PRE> <P>that'll add a line at the bottom of your table for the sum of all 0 days. or you could leave the <CODE>appendpipe []</CODE> out of it and just use the <CODE>|foreach * [....]|stats...</CODE> to only bring in the Days at 0</P> Thu, 05 Apr 2018 12:52:49 GMT https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320439#M95765 cmerriman 2018-04-05T12:52:49Z https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320440#M95766 <P>Unfortunately this works only when the timechart is not sorted "by city" and returns nothing otherwise.</P> Fri, 06 Apr 2018 05:29:18 GMT https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320440#M95766 bntdumas 2018-04-06T05:29:18Z https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320441#M95767 <P>This works great, thank you very much!</P> Fri, 06 Apr 2018 05:29:36 GMT https://community.splunk.com/t5/Splunk-Search/Count-days-without-events/m-p/320441#M95767 bntdumas 2018-04-06T05:29:36Z