Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When the value is not showed in the result also i need to dispaly value as 0 in the result set ..

Shan
Builder
‎06-07-2018 05:37 AM

In the below query. When i filter the sectodate count greater than 5. I’m missing the count of values “Cool","Super . That’s is really fine as they doesn’t satisfies the where clause condition so data is not displaying in table. But Still I need to display both Cool and Super usage as 0 in the table is it possible.. Please help me on it. Thanks in advance..

indexXXXX ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky")

| eval newfield=now()
|eval Openeddates=strptime(Openeddate, "%Y-%m-%d %H:%M:%S")
| eval todate= strftime(strptime(Openeddate,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval todate1= strftime(newfield,"%Y-%m-%d %H:%M:%S")
| eval TimeDiff1=strptime(todate1,"%Y-%m-%d %H:%M:%S")-strptime(todate,"%Y-%m-%d %H:%M:%S")
| eval sectodate=round(TimeDiff1/60/60/24,0)
| where sectodate>5
| stats count as Usage by ASSIGNED

alt text

Thanks in Advance ..

Tags (3)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-07-2018 07:56 AM

Add something like this after your existing code...

| rename COMMENT as "Add a zero record for each desired person ASSIGNED, and then stats them together "
| append [| makeresults 
    | eval ASSIGNED=mvappend("Cool","Super","Thunder","Lightray","Bluesky") 
    | mvexpand ASSIGNED 
    | eval Usage=0 
    | table ASSIGNED Usage
    ]
| stats sum(Usage) as Usage by ASSIGNED

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-07-2018 07:56 AM

Add something like this after your existing code...

| rename COMMENT as "Add a zero record for each desired person ASSIGNED, and then stats them together "
| append [| makeresults 
    | eval ASSIGNED=mvappend("Cool","Super","Thunder","Lightray","Bluesky") 
    | mvexpand ASSIGNED 
    | eval Usage=0 
    | table ASSIGNED Usage
    ]
| stats sum(Usage) as Usage by ASSIGNED
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-07-2018 06:25 AM

@shankarananth

Is ASSIGNED values is fixed? ( ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky") ).

Can you please try following search?

indexXXXX ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky") 
| eval newfield=now() 
| eval Openeddates=strptime(Openeddate, "%Y-%m-%d %H:%M:%S") 
| eval todate= strftime(strptime(Openeddate,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") 
| eval todate1= strftime(newfield,"%Y-%m-%d %H:%M:%S") 
| eval TimeDiff1=strptime(todate1,"%Y-%m-%d %H:%M:%S")-strptime(todate,"%Y-%m-%d %H:%M:%S") 
| eval sectodate=round(TimeDiff1/60/60/24,0) 
| where sectodate>5 
| stats count as Usage by ASSIGNED 
| append 
    [| makeresults 
    | eval mySelectedValue="Cool,Super,Thunder,Lightray,Bluesky", ASSIGNED =split(mySelectedValue,",") 
    | mvexpand ASSIGNED 
    | eval count=0 
    | table ASSIGNED count] | stats sum(count) as Count by ASSIGNED
0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎06-11-2018 07:41 AM

@kamlesh_vaghela

convert your comment as answer. So i can vote it ..

🙂

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎06-07-2018 06:21 AM

Try this!

(your search)
| eval sectodate=round(TimeDiff1/60/60/24,0)
| where sectodate>5
| stats count as Usage by ASSIGNED
↓
(your search)
| eval sectodate=round(TimeDiff1/60/60/24,0)
| stats count(eval(if(sectodate>5,1,0))) as Usage by ASSIGNED
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...