Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve stats count by field showing fields with zero?

denissotoacc
Path Finder
‎04-17-2022 05:45 PM

Let's suppose I have the following search:

 

| makeresults 
| eval name="Denis", age=34
| append 
    [| makeresults 
    | eval name="Nazarena", age=28]
| append 
    [| makeresults 
    | eval name="Diego", age=10]
| append 
    [| makeresults 
    | eval name="Maria", age=43]
| search age > 30
| stats count by name

 


It outputs:

name count
Denis 1
Maria 1

 

I need to get the number of times some name appears when it's age is higher than 30 BUT I need to show the unmatched names (lower than 30) as "count = 0". Something like this:

name count
Denis 1
Nazarena 0
Diego 0
Maria 1


What should I need to change in this search in order to achieve that?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎04-17-2022 06:45 PM

@denissotoacc 

Instead of counting by name, try summing by a condition:

| stats sum(eval(if(age>30, 1, 0))) as count by name

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-17-2022 11:47 PM

Hi @denissotoacc,

adapt this to your needs:

| makeresults 
| eval name="Denis", age=34
| append 
    [| makeresults 
    | eval name="Nazarena", age=28]
| append 
    [| makeresults 
    | eval name="Diego", age=10]
| append 
    [| makeresults 
    | eval name="Maria", age=43]
| eval type=if(age>30,"higher","lower")
| stats dc(type) AS dc_type values(type) AS type count BY name

Ciao and Happy Easter.

Giuseppe

Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎04-17-2022 06:45 PM

@denissotoacc 

Instead of counting by name, try summing by a condition:

| stats sum(eval(if(age>30, 1, 0))) as count by name

 

Reply
Solved! Jump to solution

denissotoacc
Path Finder
‎04-25-2022 04:46 AM

This is exactly what i needed. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...