Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I make tstats query return results day wise as zero?

Ash1
Communicator
‎06-02-2023 02:09 PM

getting "no results found" ,but  i want the results day wise as zero

Query1:

|tstats count where index=applicationlogs sourcetype=app-logs by PREFIX(report:) _time
|rename report: as Report
|eval Flaw=if(Report!="0", "Flaw", null())
|where Report!=0
|timechart span=1d max(count)  as Flaw
|fillnull value=0 Flaw

Query2:

index=applicationlogs sourcetype=app-logs
|rex field= _raw "CCC\s\d+\:\d+\:\d+\,\d{3}\(\s+\)\s\-\s(?<status>.*)"
|where isnotnull(status)
|convert timeformat="%d-%m-%Y" ctime(_time) as date
|stats count by date




Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-05-2023 01:54 AM

Hi

As @ITWhisperer said check what your first tstats return. It could be something else what you are expecting. I suppose that you have already read (at least) these two presentations

Which covers tstats with TERM and PREFIX and what you must consider when you are using those.

r. Ismo 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-02-2023 10:45 PM

Try executing each of your searches with an increasing number of lines until you find the line that causes there to be no results.

0 Karma
Reply

Ash1
Communicator
‎06-04-2023 04:20 PM

Hi @ITWhisperer 
What do u men by increasing number of lines??

For example if i wany to see 5 days data, if there is no data i want to see rows by showing count as zero.

Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎06-04-2023 09:33 PM

Hi what @ITWhisperer meant, I believe, is try the first line of your tstats by itself. If that works dd the second line etc.

 

What I do is to comment out the lines you don't want to run when three backs ticks. Then I have the query ready to uncomment.

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-05-2023 12:41 AM

Yes, as @burwell said, try the first command of the search to see if you get results, then the first two commands, etc. That way you can identify which line is causing you to get no results.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...