Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a value - even if 0 results from search?

JYTTEJ
Communicator
‎07-22-2011 05:07 AM

I have a measurement on our system availability.

I have following summary index search:

SEARCH | delta _time AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval timeDelta=tostring(timeDeltaS,"duration")|where timeDeltaS >150 |RENAME timeDeltaS as Sec_unavailable timeDelta as hh:mm:ss_unavailable |stats sum(Sec_unavailable) as total_unavail| eval seconds_in_month=(relative_time(_time,"@mon-1mon")-relative_time(_time,"@mon-2mon")) |sistats sum(total_unavail), sum(seconds_in_month)

This will return 0 results if we do not have any downtime during the month.

I use following search for the measurement report, in which I calculate the % availability:
index=summary REPORT=xxxxx |eval Month=strftime(_time,"%m") | Stats sum(total_unavail) sum(seconds_in_month) by date_year Month |rename sum(total_unavail) as unavail sum(seconds_in_month) as secmonth |eval avail=secmonth-unavail|eval AvailPct = round((avail/secmonth)*100,2)|chart sum(AvailPct) by Month |RENAME sum(AvailPct) as "Avail.Pct"

This gives following result - if the result of the summary search is <> 0 results.

Month Avail.Pct

1 04 99.99

2 06 99.99

The result of the summary search for Month 05 was zero (= no down time) - I would of course like to display the value for Month 05 as 100.00 - how do I accomplish this?

Tags (1)
Reply

JYTTEJ
Communicator
‎07-28-2011 06:39 AM

I did actually solve the problem myself:

Added append which select unvailability as 1 second: eval Sec_unavailable=1 and calculates the number of seconds in the month.

In order not to have the seconds in month repeated in the sum I then used the VALUES function - and then a stats sum.

|APPEND [SEARCH xxx | eval seconds_in_month=(relative_time(_time,"@mon-1mon")-relative_time(_time,"@mon-2mon"))|eval Sec_unavailable=1
] |stats values(Sec_unavailable) AS total_unavail values(seconds_in_month) as seconds_in_month|SISTATS SUM(total_unavail) SUM(seconds_in_month)

Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...