Stats not returning zero counts

karthi2809 · ‎01-24-2017

index=xxx |bucket _time span=3m |stats count by _time host IP
We are using the above stats command to get count instead of timechart just because we have two by clause fields. We need help in returning Zero count as part of stats iteslf if there is no data available.

jplumsdaine22 · ‎01-30-2017

(Assuming you want zero counts for host)
You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this:

| inputlookup interesting_hosts 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m 
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

If you want something more dynamic, you can search for the hosts first over a longer time range than your final search

| tstats earliest=-30d count WHERE index=xxx by host 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

Stats not returning zero counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

Stats not returning zero counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026