Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to include results where count is 0 in a an ex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently I have a search query that will show when an event happens with the device_id, count, and the device name. The search is set up to count when an event happens, but I also want to know when the event doesn't happen, so it counts devices with 0 count.
Here is my search:
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT"
|rename additionalMessage.requestBody.deviceId as device_id
|stats count(message) by device_id |sort -count(message)
|lookup DeviceNamesAll.csv device_id OUTPUT device_name
Search will show this:
| device_id | count(message) | device_name |
| 0297f12-e0ac-40d6-8ff5-2d2c2787b | 45 | Store12 |
| 37ca5c1-2c3f-41d-88d4-57f8b354c4 | 41 | Store54 |
I cant figure out how to also count the device_id's that have a count of 0. If anyone could help it would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT"
|rename additionalMessage.requestBody.deviceId as device_id
|stats count(message) as count by device_id
|lookup DeviceNamesAll.csv device_id OUTPUT device_name
| append [| inputlookup DeviceNamesAll.csv | table device_id device_name | eval count=0 ]
| stats max(count) as count by device_id device_name
|sort -count | rename count as "count(message)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT"
|rename additionalMessage.requestBody.deviceId as device_id
|stats count(message) as count by device_id
|lookup DeviceNamesAll.csv device_id OUTPUT device_name
| append [| inputlookup DeviceNamesAll.csv | table device_id device_name | eval count=0 ]
| stats max(count) as count by device_id device_name
|sort -count | rename count as "count(message)"
New Year, New Changes for Splunk Certifications
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
