Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by column with clausule where and fill with 0 if not found

miki73
Engager
‎10-11-2017 04:58 AM

Hello,
So situation is 

| stats count by col1 | where col1 IN ("tmp1", "tmp2", "tmp3")

and i call this for last 5 min, but sometimes for example "tmp1" is not happen in last 5 min so i want to put into my list value like

col1 count
tmp1 0
tmp2 5
tmp3 10

After that i want to create from this a chart so i need to include values with count=0 to analize.
anyone know how to handle that situation ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kyaparla
Path Finder
‎10-11-2017 09:18 AM

Something like this, should work.

| stats count by col1 | appendpipe [tail 1 | eval col1=mvappend("tmp1", "tmp2", "tmp3") | eval count=0] | mvexpand col1 | stats max(count) as count by col1| where col1 IN ("tmp1", "tmp2", "tmp3")

If the list is too big, its better to put them in a lookup table and use append command.

link for lookup solution.
https://answers.splunk.com/answers/580763/help-needed-with-a-search-and-a-lookup.html#answer-582032

View solution in original post

Reply
Solved! Jump to solution
Solution

kyaparla
Path Finder
‎10-11-2017 09:18 AM

Something like this, should work.

| stats count by col1 | appendpipe [tail 1 | eval col1=mvappend("tmp1", "tmp2", "tmp3") | eval count=0] | mvexpand col1 | stats max(count) as count by col1| where col1 IN ("tmp1", "tmp2", "tmp3")

If the list is too big, its better to put them in a lookup table and use append command.

link for lookup solution.
https://answers.splunk.com/answers/580763/help-needed-with-a-search-and-a-lookup.html#answer-582032

Reply
Solved! Jump to solution

miki73
Engager
‎10-11-2017 11:02 PM

Works fine for me thank you 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...