Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help to display results when results is equal to 0

jip31
Motivator
‎05-31-2021 10:04 AM

hiactually

From the tstats command, I need to display 0 is the column "Number of index" if the result is 0 (actually if the result is 0 i have "no results")

I have tried with the eval command below but it doesnt works

| tstats count where index=perfmon-* by host index 
| stats dc(index) as "Number of index" by host 
| eval "Number of index"=if(isnull("Number of index"), 0, dc) 
| table host "Number of index"

Could you help please?

Tags (1)
0 Karma
Reply

jip31
Motivator
‎06-01-2021 10:10 PM

Is anybody can help for build the appendpipe comand in order to display 0 is an hostname is not found in the index?

| appendpipe 
    [| stats count 
    | where count = 0 ] 
| eval NoIndex=if(count=0,"NoIndex",count) 
| table NoIndex
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-31-2021 10:15 AM

@jip31 

May be appendcols can help you..  Just try below search and update sub search as per your requirement.

| tstats count where index=perfmon-* by host index 
| stats dc(index) as "Number of index" by host
| appendcols [| makeresults | eval "Number of index"=0]

 

 

0 Karma
Reply

jip31
Motivator
‎05-31-2021 10:23 AM

hi

it doesnt works because I have events with "Number of index"=1 or more displayed...

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-31-2021 08:49 PM

@jip31 

| tstats count where index=perfmon-* by host index

 

 this will return  host, index and some count. So None of the fields in any row can be null. So below command will give you definitely some none 0 count. 

| stats dc(index) as "Number of index" by host

 

So in which scenario you want to handle null count. Is that ay special scenario you want to handle.

Please share your expected OP so we can think in that direction.

Thanks
KV
▄︻̷̿┻̿═━一

0 Karma
Reply

jip31
Motivator
‎05-31-2021 10:05 PM

Hi 

I explain what I exactly need

I need to check the hostname for which there is any event collect in the 4 indexes I use

So the example I have posted works when an hostname has collected events in 1 index or more but it doesn't works when the hostname hasnever collected events

Pearhaps it's not the good way to proceed and it will better to start from a list of hostname and to check if they collect in the 4 indexes?

What I just need to displayed it's the hostname which collect in any index

 

Now, I have done this :

 

 

| tstats count where index=tutu-* by host index 
| join host 
    [| inputlookup fo_all.csv  
    | rename HOSTNAME as host] 
| stats dc(index) as "Number of index" by host

 

 

it allows me to retrieve the hostname from a csv file and to check if they exists in the index

So for one of them, I have 4 indexes, 3 indexes, 2 indexes or 1 index

But for whom which doesnt exists in any indexes (I am sure there is a lot of them), I would like to have 0 displayed

How to do this please? with an append command?

I tried this but it doesnt works

 

| appendpipe 
    [| stats count as "Noindex"
    | where NoIndex = 0 ] 
| eval NoIndex=if(NoIndex=0,"Index exists",NoIndex) 
| table NoIndex
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 10:14 PM

Splunk is not good on reporting something it doesn't know - for example, your host with zero events could be called Tom, **bleep** or Harry, but how would splunk know without you telling it? You could have a lookup with all the expected host names which you include in your search, that way splunk has a chance!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...