- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to include counts with 0 events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stats count is not showing me the number of counts if there are no events for the particular search.
index="myIndex" AND (sourctype="source1" OR sourcetype="source2") | stats count by sourcetype
Result is showing me:
sourcetype: source1
count: 34
But it is not showing anything for source2 since there are no events for that source.
Below is how I want the result to show:
sourcetype: source1 count: 34
sourcetype: source2 count: 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way to do this I just learned from my own Splunk Answers question is the method of |stats count(eval(condition)) as countName. Try this search out and see if it works for you:
index="myIndex" sourcetype=source1 OR sourcetype=source2
| stats count(eval(sourcetype=source1)) AS "Number of Source 1 Events", count(eval(sourcetype=source2)) AS "Source2 Events"
I used different "AS" formats to help breakdown the search - that way you can see what has changed and modify on your own. Anyway, this will add to your total only if the eval condition is true. The inner eval condition could just as easily be EventCode=4624 or anything else you'd like to count - the as is just formatting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just answered this here:
https://answers.splunk.com/answers/781448/how-to-group-by-forcing-line-value.html#answer-780753
So like this:
index="myIndex" AND (sourctype="source1" OR sourcetype="source2")
| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval sourcetype="source1 source2 list all possible values here"
| makemv sourcetype ]
| stats count(host) AS count BY sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way to do this I just learned from my own Splunk Answers question is the method of |stats count(eval(condition)) as countName. Try this search out and see if it works for you:
index="myIndex" sourcetype=source1 OR sourcetype=source2
| stats count(eval(sourcetype=source1)) AS "Number of Source 1 Events", count(eval(sourcetype=source2)) AS "Source2 Events"
I used different "AS" formats to help breakdown the search - that way you can see what has changed and modify on your own. Anyway, this will add to your total only if the eval condition is true. The inner eval condition could just as easily be EventCode=4624 or anything else you'd like to count - the as is just formatting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help! This worked great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
index="myIndex" AND (sourctype="source1" OR sourcetype="source2")
| stats count by sourcetype
| append
[| stats count
| eval sourcetype=split("source1,source2",",")
| mvexpand sourcetype]
| stats sum(count) as count by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there are no events for the source, they won't be in the results. If you must show a count always, you can do this.
index="myIndex" AND (sourctype="source1" OR sourcetype="source2")
| stats count as total by sourcetype
|append
[|makeresults
| eval sourcetype=mvappend("source1", "source2")
| mvexpand sourcetype
| eval total=0]
|stats max(total) as total by sourcetype
Hope this helps.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help. I was stuck all day trying to do this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing an issue with the answer. It's pretty 0 no matter what even where there are events for source 2 instead of showing the number of events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's strange. Can you check if there are no typos on the field names?
As a test, I tried this on the internal index and it works
index=_internal sourcetype=splunkd OR sourcetype=splunkd2
| stats count as total by sourcetype
| append
[| makeresults
| eval sourcetype=mvappend("splunkd", "splunkd2")
| mvexpand sourcetype
| eval total=0]
| stats max(total) as total by sourcetype
Can you paste this exact query and check if it works ?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
