Splunk Search
Highlighted

How to get a "count by" search to display empty columns with a count of 0 in my chart for values with no results?

Engager

Hi everyone,

I am trying to show a graph based on a "count by", but where columns are still shown, even if no result returned.

For example, I have the following stats:
alt text

In this example, the problem is I have no result for values 4 to 9. So, when representing results, I have the following graph:
alt text
Is there a way so I can show columns, even for empty results, but still with a count=0 (so not adding fake events).
Thank you in advance.
Regards,
Guillaume.

0 Karma
Highlighted

Re: How to get a "count by" search to display empty columns with a count of 0 in my chart for values with no results?

Legend

Try this

... | stats count by seconds | append [|gentimes start=-1 | eval seconds=(0, 10, 1) | mvexpand seconds | table seconds] | fillnull count value=0 | dedup seconds | sort seconds

View solution in original post

Highlighted

Re: How to get a "count by" search to display empty columns with a count of 0 in my chart for values with no results?

Engager

Thanks for the answer 🙂

In the meantime, I found almost the same solution. Didn't do it with a list but with multiple "append" which is not as sexy.

Regards,

0 Karma