Solved: Count days without events

bntdumas · ‎04-04-2018

Hello,

I'm trying to get the sum of days where no events occurred by a city name.

I found the following answer (https://answers.splunk.com/answers/29371/find-days-with-no-events.html) that uses timechart to handle days without events:

sourcetype=foo | timechart count span=1d by city

which gives me the following table:

I feel like I'm getting closer to the solution but what i would like is to know how many days don't have events, in our example that would be:

How could I solve this?

Thanks in advance!
Benoit

cmerriman · ‎04-05-2018

try putting this at the end of your search:

|foreach * [eval <<FIELD>>_0=if('<<FIELD>>'=0,1,0)|fields - date_0]|appendpipe [|stats sum(*_0) as *|eval date="Days at 0"]|fields - *_0

that'll add a line at the bottom of your table for the sum of all 0 days. or you could leave the appendpipe [] out of it and just use the |foreach * [....]|stats... to only bring in the Days at 0

View solution in original post

cmerriman · ‎04-05-2018

try putting this at the end of your search:

|foreach * [eval <<FIELD>>_0=if('<<FIELD>>'=0,1,0)|fields - date_0]|appendpipe [|stats sum(*_0) as *|eval date="Days at 0"]|fields - *_0

that'll add a line at the bottom of your table for the sum of all 0 days. or you could leave the appendpipe [] out of it and just use the |foreach * [....]|stats... to only bring in the Days at 0

bntdumas · ‎04-05-2018

This works great, thank you very much!

splunker12er · ‎04-04-2018

|where count=0

Append this to your query and try

bntdumas · ‎04-05-2018

Unfortunately this works only when the timechart is not sorted "by city" and returns nothing otherwise.

Count days without events

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas