Splunk Search

Display a result when the count =0

Communicator

Hi every one,
Whene I use the command count with Stats or chart, the result display just the events when count is greater than 0.
In my case I want to display 0 if the count = 0.
It is possible ?
Thank you for your help have a nice day 🙂

Tags (3)
1 Solution

SplunkTrust
SplunkTrust

Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.

The answer is a little weird. Here's your search with the real results from teh raw data.

source="WinEventLog:" | stats count by EventType

now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.

| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

Now all 5 EventTypes will be in the results regardless of their presence in the raw data.

View solution in original post

SplunkTrust
SplunkTrust

Based on your comment, you need the output to show certain values for EventType even if there is no rawdata with that value.

The answer is a little weird. Here's your search with the real results from teh raw data.

source="WinEventLog:" | stats count by EventType

now if we tack on an extra append command, and then an extra stats command, we can fabricate some rows that have zeros as the count, but in which all EventTypes are reflected.

| append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

Now all 5 EventTypes will be in the results regardless of their presence in the raw data.

View solution in original post

Communicator

thank you for your response but the result given by the request is wrong 😞

0 Karma

SplunkTrust
SplunkTrust

That is odd. In case you read too fast and just pasted in the part starting with append, the full query is:

source="WinEventLog:" | stats count by EventType | append [| stats count | eval EventType=split("1,2,3,4,5",",") | mvexpand EventType] | stats sum(count) as count by EventType

it will give you exactly what you are asking for.

0 Karma

Communicator

Thank you for your response, it didn't give me the rigth result because I had a mistake in my source ., It was my fault.
Now it works perfectly thank you sideview have a nice day

0 Karma

Contributor

Hi.. stats will always show the count. if there are no events the result will show count as 0.

0 Karma

Communicator
  • this is my search query source="WinEventLog:*" | stats count by EventType
  • this is the resul of the search EventType count 0 --------------21 2 --------------11 3 ---------------1 4 --------------22 What I want is to display 2 other envents that are not listed in the result EventType1 and EventType5

Thank you

0 Karma

Influencer

Cool question. I can answer if you can fill in a couple blanks for me:
What app are you using? (search?)
Are the eventtypes shared or private? If shared, are they shared in app or globally?

0 Karma

Influencer

Also is EventType a field you created or an actual "event type" knowledge object? (http://docs.splunk.com/Splexicon:Eventtype)

0 Karma

Communicator

Thank you for your response.
* so, EventType is a field we can say that is a GameCategory for example.
* Yes, I use searche app.

0 Karma

SplunkTrust
SplunkTrust

Take a look at this answer http://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html to get some more details about using stats count in such a use case.