I am monitoring firewall and everything works fine when all host are producing logs. If a host happens to go offline and doesn't produce logs for an entire day it disappears from my column chart and I would like to have it still show the host but maybe without "bar graph".
Search string: index=name sourcetype="dell:firewall" earliest=-1d@d latest=@d | chart count(eval(pri=1)) AS Emergency, count(eval(pri=2)) AS Alert, count(eval(pri=3)) AS Critical, count(eval(pri=4)) AS Error, count(eval(pri=5)) AS Warning, count(eval(pri=6)) AS Notification, count(eval(pri=7)) AS Informational, count(eval(pri=8)) AS Debugging, by host
I've tried adding fillnull value=0 as well as a few other options but none seem to keep the host listed as a "by host" field when no logs are produced. I tried to attached two screenshots to this ticket not sure if they posted correctly.
If you have access to execute REST API in Splunk search you can add a filter in base search to get all your hosts (or deployment clients) by adding a filter to base search like the following:
index=name sourcetype="dell:firewall" [| rest /services/deployment/server/clients| search hostname="192.168.*" | fields hostname | fields - _* | rename hostname as host] earliest=-1d@d latest=@d | <Your Stats Command>
In the base search you can add filter for your hosts using OR or a pattern using wildcard/s ( I have taken 192.168.* ) as an example.
Alternatively you can create lookup table with your host names and instead of rest use inputlookup to get list of all hosts.
You can do a stats preferably (distinct_count() ) on a field you know that definitely exists on all your hosts and then use eval to replace the stats on the field with 0.