Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add missing values to stats command result?

joydeep741
Path Finder
‎08-08-2018 10:13 PM

I have a search query 

index=abc sourcetype=xyz | stats count by created_date

I get results like 

CREATED_DATE          COUNT
2018-08-08                  12
2018-08-07                   10
2018-08-04                   05
2018-08-02                  06
2018-08-01                   03

But as you can see, some dates are not present in logs so do not appear in results.
Like 2018-08-06, 2018-08-05, 2018-08-03

I want these dates to come but with ZERO count.

The final result should look like 

CREATED_DATE          COUNT
2018-08-08                  12
2018-08-07                   10
**2018-08-06                   0
2018-08-05                   0**
2018-08-04                   05
**2018-08-03                   0**
2018-08-02                  06
2018-08-01                   03

Please suggest a solution.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-09-2018 12:03 AM

@joydeep741 your Created Date as per sample Data seems to be in YYYY-mm-dd format. If you want to use it in timechart, you can try the following:

index=abc sourcetype=xyz 
| eval _time=strptime(created_date,"%Y-%m-%d")
| timechart span=1d count
| fillnnull value=0 count

PS: Final fillnull command might not be required. So test without that as well.
strptime() works based on the String Time Format in your Data. So above is based on sample dates your have provided i.e. %Y-%m-%d

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-09-2018 12:03 AM

@joydeep741 your Created Date as per sample Data seems to be in YYYY-mm-dd format. If you want to use it in timechart, you can try the following:

index=abc sourcetype=xyz 
| eval _time=strptime(created_date,"%Y-%m-%d")
| timechart span=1d count
| fillnnull value=0 count

PS: Final fillnull command might not be required. So test without that as well.
strptime() works based on the String Time Format in your Data. So above is based on sample dates your have provided i.e. %Y-%m-%d

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎08-09-2018 12:46 AM

Awesome man.

Often the solution to splunk problem statements are the most simplest ones and not Complex queries.

Reply
Solved! Jump to solution

niketn
Legend
‎08-09-2018 03:39 AM

True but messing with _time is risky 🙂 If you have a Time Picker input based dashboard you would need to ensure that created_date filter with String Time in YYYY-mm-dd is applied based on earliest and latest time selected in the Time Picker input.

If _time and created_time are two different time not related to each other, the approach from one of my older answers can be tweaked to do this: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎08-08-2018 11:49 PM

@joydeep741

Try this Query.

| makeresults 
| eval Date=mvappend("2018-08-08","2018-08-07","2018-08-04","2018-08-02","2018-08-01")
| mvexpand Date
| table Date
| appendcols  [| gentimes start=08/01/2017 end=09/30/2017 | bin span=1m endtime | stats count by endtime | eval Date=strftime(endtime, "%Y-%m-%d") | table Date     
          | table Date
          ]       
          | eventstats values(Date) as Date          
    | stats count by Date
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-08-2018 11:00 PM

@joydeep741,

Try

index=abc sourcetype=xyz |timechart span=1d count by CREATED_DATE

If your CREATED_DATE is continuous, then timechart span=1d count also should work

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

joydeep741
Path Finder
‎08-08-2018 11:51 PM

timechart span=1d count by CREATED_DATE

This would put created_date as column names in the result...

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-09-2018 12:22 AM

As mentioned ,you could convert _time to the CREATED_DATE as CREATED_DATE=strftime(_time,"%Y-%m-%d")

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...