Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to return Zero if there is nothing returned for today?

ashidhingra
Path Finder
‎06-13-2022 10:07 AM

index=abc
| stats latest(_time) AS Last_time by day
| convert ctime(Last_time)
| sort by Last_time desc
 

for example, 

Monday 06/13/2022 13:03:11
Tuesday 06/13/2022 13:03:11
Wednesday 06/13/2022 13:03:11
Thursday 06/13/2022 13:03:11
Friday 06/12/2022 13:03:11
Saturday 06/13/2022 13:03:11
Sunday 06/13/2022 13:03:11

 

I want the search to return 0 // or something else if there was no event today.

Monday 06/13/2022 13:03:11
Tuesday 06/13/2022 13:03:11
Wednesday 06/13/2022 13:03:11
Thursday 06/13/2022 13:03:11
Friday 0 // or something else
Saturday 06/13/2022 13:03:11
Sunday 06/13/2022 13:03:11

 

Is that possible. 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 03:32 PM

timechart will fill in the blanks in the time line - try something like this

| timechart latest(_time) as latest_time
| fillnull value=0
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...