Archive

Stats not returning zero counts

Communicator

index=xxx |bucket _time span=3m |stats count by _time host IP
We are using the above stats command to get count instead of timechart just because we have two by clause fields. We need help in returning Zero count as part of stats iteslf if there is no data available.

Tags (1)
0 Karma

Influencer

(Assuming you want zero counts for host)
You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this:

| inputlookup interesting_hosts 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m 
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

If you want something more dynamic, you can search for the hosts first over a longer time range than your final search

| tstats earliest=-30d count WHERE index=xxx by host 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0