Splunk Search

how to display a 0 result instead an empty result

jip31
Motivator

hi

I use the search below and I would like to have a 0 results displayed when there is no events corresponding
could you help me please?? Thanks

    eventtype="x" Name="x" 
    | fields Name, host 
    | dedup host
    | stats count by host
Tags (1)
0 Karma
1 Solution

vnravikumar
Champion

Hi @jip31

Try this and let me know

eventtype="x" Name="x" 
     | fields Name, host 
     | dedup host
     | stats count by host
     | appendpipe [stats count | where count=0 | eval host="Specify your text here"]

View solution in original post

0 Karma

vnravikumar
Champion

Hi @jip31

Try this and let me know

eventtype="x" Name="x" 
     | fields Name, host 
     | dedup host
     | stats count by host
     | appendpipe [stats count | where count=0 | eval host="Specify your text here"]
0 Karma

jip31
Motivator

thanks
if i put only appendpipe [stats count | where count=0] its enough?
what is the use of eval host="Specify your text here"]??

0 Karma

vnravikumar
Champion

yes its enough, but under host column it will display empty. If you want to add some text info, you can specify

0 Karma

jip31
Motivator

ok its not a problem because I done a fields - host

0 Karma

vnravikumar
Champion

if it works, please accept my answer.

0 Karma

jip31
Motivator

sorry but I have an issue it works but even if there is results I have...........0 instead results...

0 Karma

vnravikumar
Champion

@jip31, have you tried?

0 Karma

vik_splunk
Communicator

A more elegant way would be to use a combination of stats and eval. Please try this run anywhere example which I am sure can be customized for your use case. Also, instead of doing dedup and then count, dc(distinct count) can be used.

Try replacing log_level with DEBUG or any non standard type in the search to see it returns 0.

index=_internal sourcetype=splunkd log_level="ERROR"
|fields component,host
|stats dc(eval(if(isnull(host),0,host))) AS Count

Hope this helps!

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

This is one way to do it. First create a CSV of all the valid hosts you want to show with a zero value. Call this hosts.csv and make sure it has a column called "host". Then change the query to be like so:

 eventtype="x" Name="x" 
| fields Name, host 
| dedup host
| stats count by host
| append [|inputlookup hosts.csv]
| stats sum(count) as count by host
0 Karma

jip31
Motivator

thank but its impossible to use a lookup...

0 Karma

vik_splunk
Communicator

@jip31

An elegant way to do this without lookups would be to use eval and stats as can be seen in this run anywhere example which I am sure can be customized for your use case.

Also, you won't require dedup followed by stats as dc(distinct count) does the same and fields can be used to return only the field you count upon as the filter has been done earlier.

index=_internal sourcetype=splunkd log_level="ERROR"
|fields host
|stats dc(eval(if(isnull(host),0,host))) AS Count

0 Karma

jip31
Motivator

Thanks its interesting

0 Karma

vik_splunk
Communicator

@jip31

Which solution worked for you?

The stats or the lookup based solution?

0 Karma

jip31
Motivator

Thé stats but if there is event i have also 0 instead résult...

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...