Splunk Search

When using "tstats count", how to display zero results if there are no counts to display?

jsh315
Engager

I need to use tstats vs stats for performance reasons. I would like tstats count to show 0 if there are no counts to display.

| tstats count where index="abc" by _time span=1h

This would return a table with _time (every hour) and count, like this:

_time                   count
2017-01-01 12:00        50
2017-01-01 13:00        62
2017-01-01 14:00        14

But if the count is zero, it doesn't return that row. How do I get this to display 0 count for that hour?

Thank you.

0 Karma
1 Solution

rjthibod
Champion

How about this

 | tstats count where index="abc" by _time span=1h | makecontinuous span=1h _time | fillnull value=0

View solution in original post

rjthibod
Champion

How about this

 | tstats count where index="abc" by _time span=1h | makecontinuous span=1h _time | fillnull value=0

jsh315
Engager

Did not work. Still getting empty rows for where count is zero.

0 Karma

rjthibod
Champion

Try this instead

  | tstats count where index="abc" by _time span=1h | timechart span=1h max(count) as count | fillnull value=0 count
0 Karma

jsh315
Engager

That worked. If you have time I would greatly appreciate the explanation of your query. Thank you so much.

0 Karma

rjthibod
Champion

timechart by default (unless you specify fixedrange=f) creates a row for each time bucket from the beginning of the search period until the end of the search period. So, the timechart creates all the necessary rows, and then fillnull puts a 0 in all empty row.

0 Karma

jsh315
Engager

Thanks for the response. Your solution works if there is at least one row that returned some count but if all the rows had zero count then I get "No results found.". Is there a solution to handle this case as well? Thanks a lot.

0 Karma

rjthibod
Champion

Yes, you can use append to include a dummy value that gets filtered out if there is real data.

| tstats count where index="abc" by _time span=1h 
| addtotals fieldname=Total
| append [|gentimes start=-1 | addinfo | table info_min_time | bin info_min_time as _time span=1h | eval count = 0 | eval Total = 0 | table _time count Total]
| where (Total = 0 OR count > 0)
| timechart span=1h max(count) as count
| fillnull value=0
0 Karma

jsh315
Engager

That worked. Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...