How to add zeros to table when data is not found

komalg · ‎12-11-2019

Hello,

Have a question for the community: I have a table that looks like this:
ADate Type
2019-12-01 ABC
2019-12-02 ABC
2019-12-02 XYZ
2019-12-03 XYZ

When I run ..... |stats count by A , Type- I get only the counts of Types that are there on that date.

I want to append the count of 2019-12-01 for XYZ as 0 , 2019-12-03 ABC as 0 like that in my result.
Any help with this?

Thanks.

DavidHourani · ‎12-11-2019

Hi @komalg,

You can use the fillnull command as follows to put zeros everywhere (just like my school grades) in case your search is |stats count by A:

... | fillnull

But if you want to use |stats count by ADate, Type- then you're actually better off going for something like this :

...| eval _time=strptime(ADate,%Y-%m-%d) |timechart count by Type

Let me know if that helps.

Cheers,
David

komalg · ‎12-30-2019

Thanks, stats does not work, but I am able to work with timechart.

Are you a member of the Splunk Community?