Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How can I display zero-value/empty time when using stats?

knarayana
New Member
‎08-11-2017 09:47 AM

Search:

index=* | bin span=1d _time | convert ctime(_time) as Time timeformat=%m/%d/%y |stats  count(eval(searchmatch("(match1)")))  count(eval(searchmatch("(match2)"))) by Time

The query doesn't give me the days that have zero value.

How can I get the stats for every day? And it should show me zero if it is zero on that particular day.

Thanks

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: How can I display zero-value/empty time when using stats?

sbbadri
Motivator
‎08-11-2017 10:35 AM

index=* | timechart span=1d count(eval(searchmatch("(match1)"))) count(eval(searchmatch("(match2)"))) | eval time=strftime(time,"%m/%d/%Y")

View solution in original post

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: How can I display zero-value/empty time when using stats?

woodcock
Esteemed Legend
‎08-11-2017 10:42 AM

Use timechart (which creates empty slots by default), like this:

index=*
| timechart span=1d count(eval(searchmatch("(match1)"))) AS match1 count(eval(searchmatch("(match2)"))) AS match2
| rename _time AS Time
| fieldformat Time=strftime(Time, "%m/%d/%y")
0 Karma
Reply