Splunk Search

How can I set my count to '0' when no results are found in a table with the corresponding source?

Explorer

Hi Folks,

I want to produce a count of events in each of my indexes. Where there isn't any data for the time range I specify in my search, I want to return 0 next to the corresponding index. So far I've tried;

index=blah* |timechart span=5m count by index | append pipe [stats count | where count==0]

The above returns 0 - but how can I add in the corresponding index name that has 0?

thx!

R

0 Karma

SplunkTrust
SplunkTrust

Try this

index=blah* |timechart span=5m count by index 
| table [| rest /services/data/indexes | table title | search title=blah* | rename title as search]
| fillnull value=0

Splunk Employee
Splunk Employee

Here's more info about fillnull! http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Fillnull Just learned about it in the Splunk Fundamentals II course myself. 😄 You can use the fillnull command to replace all null values with 0 or any string that you’d like

0 Karma

Explorer

Thx for the reply. Yeah I've used fillnill a few times - in this case (where there is no data in the index for the specified search time window I still get 'no results found' as opposed to my wanted index_name count 0

0 Karma

SplunkTrust
SplunkTrust

Give this a try then...

index=blah* | bucket span=5m _time | stats count by _time index  
| appendpipe [| stats count | where count=0 | addinfo 
| eval time=split(info_min_time." ".info_max_time," ") | table time count| mvexpand time 
| rename time as _time  | eval index="dummy"] |timechart span=5m count by index 
 | table _time [| rest /services/data/indexes | table title | search title=blah* | rename title as search]
 | fillnull value=0
0 Karma