Splunk Search

How to display zero count in a stats table?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I'm using the following stats query.

`wso2_wmf(RequestCompleted)`
| dedup eventId
| stats count by request.detailContext 

The problem I have is that it's not displaying zero values for the request.detail.Context field.

If I use '| fillnull value=0' then specify each value from the request.detail.Context field then it does display those values with a zero count.

But the problem with this, is that because I'm being prescriptive in field values, when new field values are being ingested into Splunk for this field, they are not being extracted in the stats table.

I've looked at every post I could find of a similar nature and the solutions provided haven't worked. Could someone perhaps have a look at this and offer some guidance on how I may go about achieving this.

Many thanks and kind regards

Chris

1 Solution

woodcock
Esteemed Legend

This is the Sentinel Search problem discussed (with solution) here:
https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf

View solution in original post

woodcock
Esteemed Legend

This is the Sentinel Search problem discussed (with solution) here:
https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf

IRHM73
Motivator

Many thanks @woodcock.

0 Karma

woodcock
Esteemed Legend

Don't thank me, thank @duckfez! 😆 Maybe he will comment and you can UpVote him.

0 Karma

IRHM73
Motivator

Hopefully he will, so can give him the credit aswell.

0 Karma

MuS
SplunkTrust
SplunkTrust

Might not be the answer, but an idea how to handle the case where the base search does not return events .... read here : https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html

cheers, MuS

0 Karma

IRHM73
Motivator

Hi @MuS. Doesn't quite work for my circumstances, but it does seem to be a common issue.

Thank you for taking the time to reply.

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...