Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When the value is not showed in the result also i need to dispaly value as 0 in the result set ..

Shan
Builder
‎06-07-2018 05:37 AM

In the below query. When i filter the sectodate count greater than 5. I’m missing the count of values “Cool","Super . That’s is really fine as they doesn’t satisfies the where clause condition so data is not displaying in table. But Still I need to display both Cool and Super usage as 0 in the table is it possible.. Please help me on it. Thanks in advance..

indexXXXX ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky")

| eval newfield=now()
|eval Openeddates=strptime(Openeddate, "%Y-%m-%d %H:%M:%S")
| eval todate= strftime(strptime(Openeddate,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval todate1= strftime(newfield,"%Y-%m-%d %H:%M:%S")
| eval TimeDiff1=strptime(todate1,"%Y-%m-%d %H:%M:%S")-strptime(todate,"%Y-%m-%d %H:%M:%S")
| eval sectodate=round(TimeDiff1/60/60/24,0)
| where sectodate>5
| stats count as Usage by ASSIGNED

alt text

Thanks in Advance ..

Tags (3)
Preview file
21 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-07-2018 07:56 AM

Add something like this after your existing code...

| rename COMMENT as "Add a zero record for each desired person ASSIGNED, and then stats them together "
| append [| makeresults 
    | eval ASSIGNED=mvappend("Cool","Super","Thunder","Lightray","Bluesky") 
    | mvexpand ASSIGNED 
    | eval Usage=0 
    | table ASSIGNED Usage
    ]
| stats sum(Usage) as Usage by ASSIGNED

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-07-2018 07:56 AM

Add something like this after your existing code...

| rename COMMENT as "Add a zero record for each desired person ASSIGNED, and then stats them together "
| append [| makeresults 
    | eval ASSIGNED=mvappend("Cool","Super","Thunder","Lightray","Bluesky") 
    | mvexpand ASSIGNED 
    | eval Usage=0 
    | table ASSIGNED Usage
    ]
| stats sum(Usage) as Usage by ASSIGNED
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-07-2018 06:25 AM

@shankarananth

Is ASSIGNED values is fixed? ( ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky") ).

Can you please try following search?

indexXXXX ASSIGNED IN ("Cool","Super","Thunder","Lightray","Bluesky") 
| eval newfield=now() 
| eval Openeddates=strptime(Openeddate, "%Y-%m-%d %H:%M:%S") 
| eval todate= strftime(strptime(Openeddate,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") 
| eval todate1= strftime(newfield,"%Y-%m-%d %H:%M:%S") 
| eval TimeDiff1=strptime(todate1,"%Y-%m-%d %H:%M:%S")-strptime(todate,"%Y-%m-%d %H:%M:%S") 
| eval sectodate=round(TimeDiff1/60/60/24,0) 
| where sectodate>5 
| stats count as Usage by ASSIGNED 
| append 
    [| makeresults 
    | eval mySelectedValue="Cool,Super,Thunder,Lightray,Bluesky", ASSIGNED =split(mySelectedValue,",") 
    | mvexpand ASSIGNED 
    | eval count=0 
    | table ASSIGNED count] | stats sum(count) as Count by ASSIGNED
0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎06-11-2018 07:41 AM

@kamlesh_vaghela

convert your comment as answer. So i can vote it ..

🙂

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎06-07-2018 06:21 AM

Try this!

(your search)
| eval sectodate=round(TimeDiff1/60/60/24,0)
| where sectodate>5
| stats count as Usage by ASSIGNED
↓
(your search)
| eval sectodate=round(TimeDiff1/60/60/24,0)
| stats count(eval(if(sectodate>5,1,0))) as Usage by ASSIGNED
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...