Archive

Show a result even if no events match

Explorer

I am trying to get the result even if no results matches.

fillnull works fine with-

search sourcetype="test" Status < 0  | stats sparkline(count) as spark1, count as "Error Count"  | fillnull

but not with-

search sourcetype="test" Status < 0  | stats sparkline(count) as spark1, count as "Error Count" by sourcetype | fillnull

Is there any way second query be fixed?

Thanks

Tags (1)
0 Karma

Super Champion

Is there data showing up at all with the second one? Can you show some sample data?

try this:

search sourcetype="test" Status < 0  | stats sparkline(count) as spark1, count as "Error Count" by sourcetype| appendpipe [ stats count | eval "Error Count"="0"  | where count==0 |table "Error Count"]

Explorer

Thanks for the query, unfortunately it does gives the expected result-

search sourcetype="test" Status < 0  | stats sparkline(count) as spark1, count as "Error Count" by sourcetype| appendpipe [ stats count | eval "Error Count"="0"  | where count==0 |table "Error Count"]

It gives me-

sourcetype  spark1  Error Count
                            0

Result should be like-

sourcetype  spark1  Error Count
test                    0
0 Karma

SplunkTrust
SplunkTrust

Just add | eval sourcetype ="test" at the end of the subsearch.

sourcetype="test" Status < 0  | stats sparkline(count) as spark1, count as "Error Count" by sourcetype| appendpipe [ stats count | eval "Error Count"="0"  | where count==0 |table "Error Count" | eval sourcetype ="test"]

Explorer

Works like a charm.

Thanks

0 Karma