Solved: How to show 0 occurrences of a field value in a ta...

lfojacintho · ‎03-02-2015

Hello,

I'm doing a table to summarize some data and I want the table show the column or the row even if a given field value is not found.
For example, I have the following search:

index=index (field1=value11 OR field1=value12) AND (field2=value21 OR field2=value22) | chart count over field1 by field2

and it gives me the following:

field1   value21   value22
value11      2        3
value12      0        1

which is what I want. But if I use a real-time window and an event with value12 doesn't occur, it gives me:

field1   value21   value22
value11      2        3

and I want it to show me:

field1   value21   value22
value11      2        3
value12      0        0

Is there any way to do that?

Thanks!

dwaddle · ‎03-02-2015

Dupe question, see http://answers.splunk.com/answers/97525/show-a-result-even-if-no-events-match.html

View solution in original post

dwaddle · ‎03-02-2015

Dupe question, see http://answers.splunk.com/answers/97525/show-a-result-even-if-no-events-match.html

sanjay_shrestha · ‎03-02-2015

You can append events with 0 0 for all values i.e. for value11 & value12 for this example. Later you can remove as it appears in the query.

lfojacintho · ‎03-02-2015

I tried a solution with appendcols to each subsearch, but I think the dwaddle answer is more performatic, using lookup table.

Thanks

How to show 0 occurrences of a field value in a table?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?

How to show 0 occurrences of a field value in a table?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management