hi
I need that the stats command below display a line with 0 if there is no results
How can I do please??
index="xx" sourcetype="yy" key_path="HKLM\software\microsoft\windows nt\" OR key_path="HKLM\software\microsoft\windows nt\currentversion"
| stats dc(host) as "Number of hosts" by sourcetype key_path
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>test</label>
</input>
</fieldset>
<row>
<panel depends="$show_table$">
<table>
<search id="your query">
<progress>
<condition match="'job.resultCount' > 0">
<set token="show_table">true</set>
<unset token="show_table2"></unset>
</condition>
<condition>
<unset token="show_table"></unset>
<set token="show_table2">true</set>
</condition>
</progress>
<query>index=_internal $field1$ | stats count</query>
<earliest>-5s</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$show_table2$">
<table>
<search id="nothing">
<query>| stats count </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
This is an example dashboard.
If there is a search result, the result is output.
I would like you to write the necessary query.
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="text" token="field1">
<label>test</label>
</input>
</fieldset>
<row>
<panel depends="$show_table$">
<table>
<search id="your query">
<progress>
<condition match="'job.resultCount' > 0">
<set token="show_table">true</set>
<unset token="show_table2"></unset>
</condition>
<condition>
<unset token="show_table"></unset>
<set token="show_table2">true</set>
</condition>
</progress>
<query>index=_internal $field1$ | stats count</query>
<earliest>-5s</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel depends="$show_table2$">
<table>
<search id="nothing">
<query>| stats count </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
This is an example dashboard.
If there is a search result, the result is output.
I would like you to write the necessary query.
sorry but it doesnt help much more...
[UPDATED QUERY] as per details provided for the key_path also to be defaulted to 0 in case they are not present.
@jip31, as per your query there are only two key_path. If so you can use the following query. If not you will have to prepare a list of key_paths available in a lookup and use that to default the values in case any key_path is not present.
index="xx" sourcetype="yy" key_path="HKLM\\software\\microsoft\\windows nt\\" OR key_path="HKLM\\software\\microsoft\\windows nt\\currentversion"
| stats dc(host) as "Number of hosts" by sourcetype key_path
| append
[| makeresults
| fields - _time
| eval index="xx",sourcetype="yy", key_path="HKLM\\software\\microsoft\\windows nt\\,HKLM\\software\\microsoft\\windows nt\\currentversion" ,"Number of hosts"=0
| makemv key_path delim=","
| mvexpand key_path]
| dedup index sourcetype key_path
@jip31, but you are fixing the sourcetype in your query to "yy" i.e. index="xx" sourcetype="yy"
. Is there only one sourcetype? If so, do you want to show single row with sourcetype=-yy and count=0 when the events from the sourcetype does not exist, you can try the following:
index="xx" sourcetype="yy" key_path="HKLM\\software\\microsoft\\windows nt\\" OR key_path="HKLM\\software\\microsoft\\windows nt\\currentversion"
| stats dc(host) as "Number of hosts" by sourcetype key_path
| append
[| makeresults
| fields - _time
| eval index="xx",sourcetype="yy", key_path="N/A" ,"Number of hosts"=0]
| dedup index sourcetype
hi renjith
I have only 2 key path, 2 with a count > 0 and 2 key path with a count = 0
I tried to adapt your query but I have a count = 0 for the 4 key patch
here is what I have done
(index=toto) sourcetype="WinRegistry" key_path="HKLM\\ww" OR key_path="HKLM\\xx" OR key_path="HKLM\\yy" OR key_path="HKLM\\zz"
| stats dc(host) as "Number of hosts" by sourcetype key_path
| append
[| makeresults
| fields - _time
| eval index="ai-wkst-windows-fr",sourcetype="WinRegistry", key_path="HKLM\\ww\\,HKLM\\xx,HKLM\\yy,HKLM\\zz","Number of hosts"=0
| makemv key_path delim=","
| mvexpand key_path]
| dedup index sourcetype key_path
hi, have you an idea of what is wrong please?
is anybody for helping me please??
hi renjith
yes there is just one sourcetype
I need the fields displayed like this :
"sourcetype" "key_path" "number of hosts"
toto 1 24
toto 2 18
toto 3 0
toto 4 0
As you can see I need to display all the key_path even if the number of hosts is equal to 0
If I understood your question correctly simplest solution could be below,
index="xx" sourcetype="yy" key_path="HKLM\\software\\microsoft\\windows nt\\" OR key_path="HKLM\\software\\microsoft\\windows nt\\currentversion"
| stats dc(host) as "Number of hosts" by sourcetype key_path
| eval "Number of hosts" = if("Number of hosts" =0,"0-------------","Number of hosts" )
If you need proper lines in that case you may need to go for custom table renderer using js.
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEUY
Sid
"Number of hosts" inside the if statement refers to the string "Number of hosts" instead of the field. I suggest to name the field Number_of_hosts: | stats dc(host) as Number_of_hosts. Now the if statement Number_of_hosts==0 will work.
sorry I dont understand
something like this ?
| stats dc(host) as Number_of_hosts by sourcetype key_path | eval Number_of_host=if(Number_of_host==0, "0", "Number_of_host")
what I need if there is no events for a sourcetype its the name of the sourcetype displayed in the table panel and 0 for "Number_of_hosts"