Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bring back set number of fields even if the field isn't in the data

jlechem
New Member
‎03-02-2011 08:28 PM

Hello,

I am trying to bring back a set number of fields in a query even if that field isn't in the indexed data. For example, my data could have a field called Status. Status could be one of 3 values a, b, or c. My data only happens to have a and b with no c. I want my queries to always bring back count values for a, b, and c with 0 for any field value that's not in the current data. Is this possible?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bbingham
Builder
‎03-03-2011 06:20 AM

Yes it's possible, you can use the eval command under the count, it will only count if it matches a set outcome, here's a sample:

 source="some source" | stats count(eval(Status="a")) as Name_of_field_A count(eval(Status="b")) as Name_of_field_B count(eval(Status="c")) as Name_of_field_C

The above will always return the 3 fields and will stay at 0 till they encounter a match on the status field. Is that what you're looking for?

View solution in original post

Reply
Solved! Jump to solution
Solution

bbingham
Builder
‎03-03-2011 06:20 AM

Yes it's possible, you can use the eval command under the count, it will only count if it matches a set outcome, here's a sample:

 source="some source" | stats count(eval(Status="a")) as Name_of_field_A count(eval(Status="b")) as Name_of_field_B count(eval(Status="c")) as Name_of_field_C

The above will always return the 3 fields and will stay at 0 till they encounter a match on the status field. Is that what you're looking for?

Reply
Solved! Jump to solution

jlechem
New Member
‎03-04-2011 03:58 PM

That's exactly what I'm looking for thanks!

0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-02-2011 09:14 PM

Could you share your exact search?

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...