Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on if condition for results = 0

jip31
Motivator
‎10-09-2019 10:46 PM

hello

In a panel table, I need to display every key_path even if the key_path result = 0
I have done an if condition but it doenst works
could you help me please??

index="toto" sourcetype="WinRegistry" key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\xx" OR key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\yy" OR key_path="HKLM\\software\\wow6432node\\zz" 
| stats dc(host) as test by sourcetype key_path 
| eval test=if(test==0,"0", test)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-09-2019 11:03 PM

@jip31

Can you please try this?

index="toto" sourcetype="WinRegistry" key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\xx" OR key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\yy" OR key_path="HKLM\\software\\wow6432node\\zz" 
| stats dc(host) as count by sourcetype key_path | append [| makeresults | eval sourcetype="WinRegistry", count=0, key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\xx||HKLM\\software\\microsoft\\windows nt\\currentversion\\yy||HKLM\\software\\wow6432node\\zz",key_path=split(key_path,"||") | mvexpand key_path | table sourcetype key_path count] | stats sum(count) as count by sourcetype key_path

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-09-2019 11:03 PM

@jip31

Can you please try this?

index="toto" sourcetype="WinRegistry" key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\xx" OR key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\yy" OR key_path="HKLM\\software\\wow6432node\\zz" 
| stats dc(host) as count by sourcetype key_path | append [| makeresults | eval sourcetype="WinRegistry", count=0, key_path="HKLM\\software\\microsoft\\windows nt\\currentversion\\xx||HKLM\\software\\microsoft\\windows nt\\currentversion\\yy||HKLM\\software\\wow6432node\\zz",key_path=split(key_path,"||") | mvexpand key_path | table sourcetype key_path count] | stats sum(count) as count by sourcetype key_path
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-09-2019 11:15 PM

hi its perfect thanks!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-09-2019 11:18 PM

Great @jip31. Can you please upvote and accept this answer to close this question?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...