How to write a search to create a summary index wi...

burwell · ‎10-26-2016

I have a search to create a summary index which runs every 15 minutes:

 index=foo "myerror" | bin span=15m _time |  sistats count by _time

I'd like to have 0 in my summary search when there are no events matching "myerror".

How do I do that?

somesoni2 · ‎10-27-2016

Give this a try

  index=foo "myerror" | bin span=15m _time |  sistats count by _time | appendpipe [| stats count | where count=0 | addinfo  | eval _time=info_min_time| bucket span=15m _time | table _time count | sistats count by _time ]

burwell · ‎10-29-2016

I tried this (I am getting rid of the bin span)... this works except when there are no errors then it says 1 instead of 0.

I tried adding eval count=count-1 in the appendpipe clause but could not get this to give me zero.

index=foo "myerror" | sistats count |appendpipe [| stats count | where count=0 | addinfo  | eval _time=info_min_time|  table _time count |  sistats count    ]

jkat54 · ‎10-26-2016

See if this works: Change it from sistats to stats and use the collect command..,

 ... | stats count by _time | collect index=summary

burwell · ‎10-26-2016

Thanks but that didn't do it. I don't get data when I have no events.

How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

What's New in Splunk Observability - July 2025

Are you a member of the Splunk Community?

How to write a search to create a summary index with a count of "0" when there are no events matching "myerror"?

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

What's New in Splunk Observability - July 2025