Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by column with clausule where and fill with 0 if not found

miki73
Engager
‎10-11-2017 04:58 AM

Hello,
So situation is 

| stats count by col1 | where col1 IN ("tmp1", "tmp2", "tmp3")

and i call this for last 5 min, but sometimes for example "tmp1" is not happen in last 5 min so i want to put into my list value like

col1 count
tmp1 0
tmp2 5
tmp3 10

After that i want to create from this a chart so i need to include values with count=0 to analize.
anyone know how to handle that situation ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kyaparla
Path Finder
‎10-11-2017 09:18 AM

Something like this, should work.

| stats count by col1 | appendpipe [tail 1 | eval col1=mvappend("tmp1", "tmp2", "tmp3") | eval count=0] | mvexpand col1 | stats max(count) as count by col1| where col1 IN ("tmp1", "tmp2", "tmp3")

If the list is too big, its better to put them in a lookup table and use append command.

link for lookup solution.
https://answers.splunk.com/answers/580763/help-needed-with-a-search-and-a-lookup.html#answer-582032

View solution in original post

Reply
Solved! Jump to solution
Solution

kyaparla
Path Finder
‎10-11-2017 09:18 AM

Something like this, should work.

| stats count by col1 | appendpipe [tail 1 | eval col1=mvappend("tmp1", "tmp2", "tmp3") | eval count=0] | mvexpand col1 | stats max(count) as count by col1| where col1 IN ("tmp1", "tmp2", "tmp3")

If the list is too big, its better to put them in a lookup table and use append command.

link for lookup solution.
https://answers.splunk.com/answers/580763/help-needed-with-a-search-and-a-lookup.html#answer-582032

Reply
Solved! Jump to solution

miki73
Engager
‎10-11-2017 11:02 PM

Works fine for me thank you 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...