Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to default a key value if a reduce function "stats" does not return any results...

lpolo
Motivator
‎01-22-2013 11:46 AM

I have the following query:

index=hello field=0 client=vip|stats dc(id) as no_event by client

If there is not any key=value pair "field=0" my reduced by _time function "stats" will not report any results. Based on these premises I have the following question which is related to:

[http://splunk-base.splunk.com/answers/67740/how-to-detect-and-fill-default-value-to-empty-value-field][1]

Is there a way in the splunk query language to default the results of the reduce function in case there is not any event?

Example:
log events:

01/01/2013 01:00:000 field=1 client=vip id=0002
01/02/2013 01:00:000 field=0 client=vip id=0006
01/03/2013 01:00:000 field=4 client=vip id=0008
01/05/2013 01:00:000 field=6 client=vip id=0010

Observation: There is not any event for 01/04/2013.

I need this result set:

_time                no_event
01/01/2013 01:00:000  1
01/02/2013 01:00:000  1
01/03/2013 01:00:000  1
01/04/2013 01:00:000  0
01/05/2013 01:00:000  1

Thanks,
Lp

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎01-22-2013 12:40 PM

Like this :

index=hello field=0 client=vip|stats dc(id) as no_event by client 
| appendpipe [ stats count as no_event | eval client="vip" | where no_event==0 ]

the appendpipe sets no_event to the number of rows returned.

We then create a field called client set to 'vip'

We then only add the row to the main search if no_event is 0

Update

index=hello field=0 client=vip
| stats dc(id) as no_event by _time
| makecontinuous _time
| fillnull value=0 no_event
Reply

lpolo
Motivator
‎01-23-2013 08:28 AM

Search command makecontinuous _time worked. I did not know this command.

Thank you.
Lp

0 Karma
Reply

jonuwz
Influencer
‎01-23-2013 05:39 AM

updated answer

0 Karma
Reply

lpolo
Motivator
‎01-23-2013 04:43 AM

I updated the question. So you may guide me if there is a solution.

0 Karma
Reply

jonuwz
Influencer
‎01-22-2013 02:14 PM

from my answer you referenced 😛 . You should post as answers, you post good comments.

0 Karma
Reply

jguarini
Path Finder
‎01-22-2013 12:55 PM

kind a like I posted 😉

0 Karma
Reply

jguarini
Path Finder
‎01-22-2013 12:09 PM

how about the solution presented in

http://splunk-base.splunk.com/answers/59589/no-results-found-to-be-represented-as-null-or-0

then you end could look like

| stats dc(id) as no_event by client | appendpipe [ stats count | eval id=0 | where count==0 | rename id as no_event | fields - count ]

0 Karma
Reply

lpolo
Motivator
‎01-22-2013 11:58 AM

Yes, I tried. it does not do the job.

0 Karma
Reply

jguarini
Path Finder
‎01-22-2013 11:52 AM

have you tried fillnull ?

maybe something like

index=hello field=0 client=vip|stats dc(id) as no_event by client | fillnull value=0 no_event

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...