Re: Stats not returning zero counts

karthi2809 · ‎01-24-2017

index=xxx |bucket _time span=3m |stats count by _time host IP
We are using the above stats command to get count instead of timechart just because we have two by clause fields. We need help in returning Zero count as part of stats iteslf if there is no data available.

jplumsdaine22 · ‎01-30-2017

(Assuming you want zero counts for host)
You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this:

| inputlookup interesting_hosts 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m 
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

If you want something more dynamic, you can search for the hosts first over a longer time range than your final search

| tstats earliest=-30d count WHERE index=xxx by host 
| fields host 
| join type=left host [ 
  search index=xxx earliest=-60m
  | bucket _time span=3m 
  | stats count by _time host IP
  ] 
| fillnull count value=0

Stats not returning zero counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation