Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to return Zero if there is nothing returned for today?

ashidhingra
Path Finder
‎06-13-2022 10:07 AM

index=abc
| stats latest(_time) AS Last_time by day
| convert ctime(Last_time)
| sort by Last_time desc
 

for example, 

Monday 06/13/2022 13:03:11
Tuesday 06/13/2022 13:03:11
Wednesday 06/13/2022 13:03:11
Thursday 06/13/2022 13:03:11
Friday 06/12/2022 13:03:11
Saturday 06/13/2022 13:03:11
Sunday 06/13/2022 13:03:11

 

I want the search to return 0 // or something else if there was no event today.

Monday 06/13/2022 13:03:11
Tuesday 06/13/2022 13:03:11
Wednesday 06/13/2022 13:03:11
Thursday 06/13/2022 13:03:11
Friday 0 // or something else
Saturday 06/13/2022 13:03:11
Sunday 06/13/2022 13:03:11

 

Is that possible. 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 03:32 PM

timechart will fill in the blanks in the time line - try something like this

| timechart latest(_time) as latest_time
| fillnull value=0
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...