Re: Add zero value when using _time field

whitefang1726 · ‎04-27-2021

When using stats count on searches, it does not show zero values on specific time intervals.

Example:
index=main sourcetype=test (event=eventA OR eventB)
| bin _time span=1h
| stats count by _time, event

Sample Result:

_time Event count
04/27 1:00AM EventA 10
04/27 2:00AM EventA 10
04/27 1:00AM EventB 10

How can I show row with zero value?
_time Event count
04/27 1:00AM EventA 10
04/27 2:00AM EventA 10
04/27 3:00AM EventA 0
04/27 1:00AM EventB 10
04/27 2:00AM EventB 0
04/27 3:00AM EventB 0

richgalloway · ‎04-27-2021

The stats command will not fill in missing values, but timechart will.

index=main sourcetype=test (event=eventA OR eventB)
| timechart span=1h count by event

---
If this reply helps you, Karma would be appreciated.

whitefang1726 · ‎04-27-2021

I was expecting a non-timechart command, but that works. Better than creating long queries. 😄

Thanks!

richgalloway · ‎04-28-2021

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

Add zero value when using _time field

stats

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Add zero value when using _time field

stats

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud