Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I also include the values which has stats count 0 in the table ?

shaal89
New Member
‎03-23-2017 06:05 AM

I'm trying to get the usage of some values (say, xyz) by "stats count by xyz" where i am getting the results of xyz which has count greater than 0 like,
xyz | count
nasj | 10
asjn | 40
asjd | 23

but i m also pretty sure where some values of xyz also has count 0. how do i get that ? should be like,
xyz | count
nasj | 10
asjn | 40
asjd | 23
ansj | 0
sfdn | 0

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-23-2017 08:02 AM

You need source for a canonical list of "all the XYZ things". For simplicity, let's not use xyz but rather host.

Let's assume you have the canonical list in a set of tags, then you can use this search to obtain it:

| rest/servicesNS/-/-/configs/conf-tags 
| search YourTagNameHere=enabled 
| fields title 
| rex field=title mode=sed "s/host=//" 
| rename title AS host

Let's assume it is in a CSV, then you can use this search to obtain it:

| inputcsv MyCSV | table host

In any case, once you have the search that generated the canonical list of hosts, you can do a search like this:

YOUR DATA SEARCH HERE
| append [YOUR SEARCH FOR CANONICAL LIST HERE] 
| stats values(*) AS * BY host

You might start with a tstats search because it is so much more efficient:

| tstats count where index=_* OR index=* BY host sourcetype index 
| append [YOUR SEARCH FOR CANONICAL LIST HERE] 
| stats values(*) AS * BY host

Be aware that if you are doing stats count instead of stats count(something) you will have to do this at the end to get rid of the added non-data list:

| eval count = count - 1
0 Karma
Reply

DalJeanis
Legend
‎03-23-2017 07:29 AM

One way to do this is if you pull, from somewhere, a list of all the values of xyz that you always want on the list. Then, you use sum() on a field with either a one (selected records) or a zero (all values to report) and it looks like this...

...your search that gets all xyz records you want to count...
| table xyz | eval mycount=1
| append [...your search that gets ALL xyz values that you want to report... | table xyz | eval mycount=0]
| stats sum(mycount) as count by xyz

So, here's a run-anywhere code sample demonstrating the technique with your fake data...

| makeresults 
| eval xyz="nasj nasj nasj nasj nasj nasj nasj nasj nasj nasj asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjn asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd asjd" 
| makemv xyz 
| mvexpand xyz

| table xyz | eval mycount=1
| append 
    [| makeresults | eval xyz="nasj asjn asjd ansj sfdn" | makemv xyz | mvexpand xyz
     | table xyz | eval mycount=0]
| stats sum(mycount) as count by xyz
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...