I have a query
base query | stats count by ABC | fillnull
but i am getting "no result"
instead of this, i want to display ABC count as "zero"
Try this - from here: https://answers.splunk.com/answers/467823/if-there-are-no-results-found-how-do-i-get-my-sear.html
base query | stats count by ABC
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]
Try this
base query
| append [|makeresults | eval count=""]
| stats count by ABC
|eval count=if(isnotnull(count),0,'count')
Thanks for your help..still same result when i use this query
Works on mine..
Try this - from here: https://answers.splunk.com/answers/467823/if-there-are-no-results-found-how-do-i-get-my-sear.html
base query | stats count by ABC
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]
Awesome...i tried this query and its working fine..
I don't entirely follow what you're trying to achieve, but the purpose of fillnull is to populate empty fields with a null value, not to generate results when there are none. When the stats command returns 0 results, there is nothing to apply "fillnull" on.
If you can elaborate a bit more what you want to achieve (and if possible show some sample data and expected outcomes) we can try and help you find a solution that does work.
stats command displaying "no result found" but i need value zero to be displayed
can you try :
| stats count AS abc_count by ABC | fillnull abc_count value=0
still i am getting the same result
Do you need something like this:
https://answers.splunk.com/answers/582253/replacing-no-results-found-with-0.html
yes..could you please modify and provide the query
Can you share whole query? Is ABC field exist?
yes..it exist..please consider ABC is name of error