Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Include zero count in stats count

johandk
Path Finder
‎05-06-2011 12:51 AM

I have a search like this:

sourcetype="wineventlog:security" (host="Server1" OR host="server2" OR host="server3") | stats count(host) by host

This returns server1 and server2 and their counts but not server3 cause there is no events for it. How do I force it for server3 to display in the table with a zero count??

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-06-2011 02:34 PM

This search would show a count of those servers:

|stats count | eval host="Server1,Server2,Server3" | makemv delim="," host | mvexpand host | append [search sourcetype="wineventlog:security" (host="Server1" OR host="Server2" OR host="Server3")] | stats sum(eval(if(isnull(_time),0,1))) as count by host

If there are many servers, it may be easier to maintain the list in a lookup file.

Alternatively, if you want to show counts of all servers Splunk has seen you can lead with a metadata command and obviate the need to specify servers.

View solution in original post

Reply
Solved! Jump to solution

samkidman
Engager
‎05-20-2014 09:22 PM

Heres a way to do it if you have a large number of hosts that match a regex without using a lookup file:

|stats count | eval [|metadata type=hosts |regex host="<matching hosts>"| fields + host | mvcombine delim="," host | nomv host | format "","","","","",""] | makemv delim="," host | mvexpand host | append [search sourcetype="wineventlog:security" | regex host="<matching hosts>" ] | stats sum(eval(if(isnull(_time),0,1))) as count by host
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-06-2011 02:34 PM

This search would show a count of those servers:

|stats count | eval host="Server1,Server2,Server3" | makemv delim="," host | mvexpand host | append [search sourcetype="wineventlog:security" (host="Server1" OR host="Server2" OR host="Server3")] | stats sum(eval(if(isnull(_time),0,1))) as count by host

If there are many servers, it may be easier to maintain the list in a lookup file.

Alternatively, if you want to show counts of all servers Splunk has seen you can lead with a metadata command and obviate the need to specify servers.

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...