Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When the value is not showed in the result also i need to dispaly value as 0 in the result set ..

Shan
Builder
‎06-07-2018 05:37 AM

In the below query. When i filter the sectodate count greater than 5. I’m missing the count of values “Cool","Super . That’s is really fine as they doesn’t satisfies the where clause condition so data is not displaying in table. But Still I need to display both Cool and Super usage as 0 in the table is it possible.. Please help me on it. Thanks in advance..

indexXXXX ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky")

| eval newfield=now()
|eval Openeddates=strptime(Openeddate, "%Y-%m-%d %H:%M:%S")
| eval todate= strftime(strptime(Openeddate,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval todate1= strftime(newfield,"%Y-%m-%d %H:%M:%S")
| eval TimeDiff1=strptime(todate1,"%Y-%m-%d %H:%M:%S")-strptime(todate,"%Y-%m-%d %H:%M:%S")
| eval sectodate=round(TimeDiff1/60/60/24,0)
| where sectodate>5
| stats count as Usage by ASSIGNED

alt text

Thanks in Advance ..

Tags (3)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-07-2018 07:56 AM

Add something like this after your existing code...

| rename COMMENT as "Add a zero record for each desired person ASSIGNED, and then stats them together "
| append [| makeresults 
    | eval ASSIGNED=mvappend("Cool","Super","Thunder","Lightray","Bluesky") 
    | mvexpand ASSIGNED 
    | eval Usage=0 
    | table ASSIGNED Usage
    ]
| stats sum(Usage) as Usage by ASSIGNED

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-07-2018 07:56 AM

Add something like this after your existing code...

| rename COMMENT as "Add a zero record for each desired person ASSIGNED, and then stats them together "
| append [| makeresults 
    | eval ASSIGNED=mvappend("Cool","Super","Thunder","Lightray","Bluesky") 
    | mvexpand ASSIGNED 
    | eval Usage=0 
    | table ASSIGNED Usage
    ]
| stats sum(Usage) as Usage by ASSIGNED
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-07-2018 06:25 AM

@shankarananth

Is ASSIGNED values is fixed? ( ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky") ).

Can you please try following search?

indexXXXX ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky") 
| eval newfield=now() 
| eval Openeddates=strptime(Openeddate, "%Y-%m-%d %H:%M:%S") 
| eval todate= strftime(strptime(Openeddate,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") 
| eval todate1= strftime(newfield,"%Y-%m-%d %H:%M:%S") 
| eval TimeDiff1=strptime(todate1,"%Y-%m-%d %H:%M:%S")-strptime(todate,"%Y-%m-%d %H:%M:%S") 
| eval sectodate=round(TimeDiff1/60/60/24,0) 
| where sectodate>5 
| stats count as Usage by ASSIGNED 
| append 
    [| makeresults 
    | eval mySelectedValue="Cool,Super,Thunder,Lightray,Bluesky", ASSIGNED =split(mySelectedValue,",") 
    | mvexpand ASSIGNED 
    | eval count=0 
    | table ASSIGNED count] | stats sum(count) as Count by ASSIGNED
0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎06-11-2018 07:41 AM

@kamlesh_vaghela

convert your comment as answer. So i can vote it ..

🙂

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎06-07-2018 06:21 AM

Try this!

(your search)
| eval sectodate=round(TimeDiff1/60/60/24,0)
| where sectodate>5
| stats count as Usage by ASSIGNED
↓
(your search)
| eval sectodate=round(TimeDiff1/60/60/24,0)
| stats count(eval(if(sectodate>5,1,0))) as Usage by ASSIGNED
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...