Splunk Search

How to modify the retrun value of stats count by search using eval

Contributor

I am running a search query like this

index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur | sort -cur

the return value of the above search sometimes return both values and sometime only one.

i.e.

Cur    dc(ASP_NET_SessionId)
1            15
0             2

And sometimes I may get,

Cur    dc(ASP_NET_SessionId)
1            12

And sometimes I may get,
"No results found"

I suspect that I am not seeing the 2nd row (or No results found) here most likely because of the fact that the return value of dc(ASP_NET_SessionId) may be 0.

My question is, is there a way to modify the search so that I always get two rows even if the value is zero. I just want to display as zero and not a missing line or "No results found". So it should look like

 Cur    dc(ASP_NET_SessionId)
    1            0
    0            0
Tags (4)
0 Karma

Contributor

Ok, the following query worked. It gave me the result I wanted as per above.

index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* 
| eval cur=if(_time>relative_time(now(),"-15m"),1,0) 
| append [ stats count | eval cur = if(count == 0, 0,1)]
| append [ stats count | eval cur = if(count == 0, 1,0)]
| stats dc(ASP_NET_SessionId) by cur | sort -cur
0 Karma

SplunkTrust
SplunkTrust

Try following

*| head 1 | eval cur="1,0" | fields cur| eval cur=split(cur,",") | mvexpand cur | join type=left cur [search index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur ]| sort -cur]
0 Karma

Champion

should be fields instead of field

0 Karma

Contributor

Thank you again. When I try the above, I get "unknown search command 'field'"

Sorry for my delayed resposne. I was away on leave for last 4 weeks.

0 Karma

Super Champion

Try using fillnull.

index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | fillnull value="0" | stats dc(ASP_NET_SessionId) by cur | sort -cur
0 Karma

Contributor

Thank you for your response. Tried that, no difference.

0 Karma