Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Want to display count as zero in statistics when there is no events for a IP.

sathiyasun
Explorer
‎07-25-2019 01:22 AM

index=bc cs_host="collector" NOT 10.xx,xxx.121 c_ip=10.xx.xxx.233 OR c_ip=10.xx.xxx.234 OR c_ip=10.xx.xxx.248 OR c_ip=10.xx.xxx.250 OR c_ip=10.xx.xxx.42 OR c_ip=10.xx.xxx.43
|stats count by c_ip

It only display the count which has event, how could i force in search to display zero there is no data/event for an IP.
The screenshot display only the IP which has results but not showing which didnt have data/event.alt text

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

grittonc
Contributor
‎07-25-2019 05:50 AM

I don't see a way to do this without telling Splunk the IPs that you want to see in your output. Give this a try:

index=bc cs_host="collector" NOT 10.xx,xxx.121 c_ip=10.xx.xxx.233 OR c_ip=10.xx.xxx.234 OR c_ip=10.xx.xxx.248 OR c_ip=10.xx.xxx.250 OR c_ip=10.xx.xxx.42 OR c_ip=10.xx.xxx.43 
|stats count by c_ip
| append
[| makeresults 
    | eval c_ip="10.xx.xxx.233, 10.xx.xxx.234, 10.xx.xxx.248, 10.xx.xxx.250, 10.xx.xxx.42, 10.xx.xxx.43" , count=0
    | makemv c_ip delim=", " 
    | mvexpand c_ip 
    | table c_ip, count]
| stats sum(count) as count by c_ip

If this works for you, you could skip the makeresults step by creating a lookup table with the IP addresses that you want, but you might not want that if you frequently change the list that you want.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

grittonc
Contributor
‎07-25-2019 05:50 AM

I don't see a way to do this without telling Splunk the IPs that you want to see in your output. Give this a try:

index=bc cs_host="collector" NOT 10.xx,xxx.121 c_ip=10.xx.xxx.233 OR c_ip=10.xx.xxx.234 OR c_ip=10.xx.xxx.248 OR c_ip=10.xx.xxx.250 OR c_ip=10.xx.xxx.42 OR c_ip=10.xx.xxx.43 
|stats count by c_ip
| append
[| makeresults 
    | eval c_ip="10.xx.xxx.233, 10.xx.xxx.234, 10.xx.xxx.248, 10.xx.xxx.250, 10.xx.xxx.42, 10.xx.xxx.43" , count=0
    | makemv c_ip delim=", " 
    | mvexpand c_ip 
    | table c_ip, count]
| stats sum(count) as count by c_ip

If this works for you, you could skip the makeresults step by creating a lookup table with the IP addresses that you want, but you might not want that if you frequently change the list that you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...