Refine your search:

Add 0 Count

1

Need some help adding a 0 count at search time.

I have a log that contains the execution duration of a code function. Using stats I can count the number of times the function took

|stats count by functionDuration

functionDuration|count
120|1
122|2
123|1
124|5
130|10
132|8

From this the functionDuration took 120 1 time, 122 2 times, etc...

I would like to show a count of 0 for the missing functionDuration times.

functionDuration|count
120|1
121|0
122|2
123|1
124|5
125|0
126|0
127|0
128|0
129|0
130|10
131|0
132|8

I searched around and couldn't find answer. Thanks for any help.

asked 09 May '12, 18:36

johnmca's gravatar image

johnmca
334
accept rate: 0%

2 Answers:
oldestnewestmost voted
1

It would be nice if you could just have a command called like generateRows rows=N that would generate a result set with N rows.

However we can hack one together ourselves using a search for the 1000 most recent events in the last 30 days.

<search terms> | stats count by functionDuration | append [| search index=* OR index=_internal earliest=-30d | head 1000 | fields - * | fields - _* | streamstats count | rename count as functionDuration | eval count=0] | stats sum(count) as count by functionDuration | sort functionDuration

The basic idea is, use our weird subsearch hack to append 1000 rows, with every functionDuration value from 1-1000 represented. Then when we wash the original "real" events together with the fake events, through `| stats sum(count) as count by functionDuration), suddenly we'll have every functionDuration value from 1-1000 represented...

Alternates: 1) Instead of the weird index=* OR index=_* search, you could also just use a csv in /var/run/dispatch that has 1000 rows in it.
2) Or you could do the trick in that other answer, where you do | eval foo="1,2,3,4,5,6,7,8,..." | eval foo=split(foo,",") | mvexpand foo, but I'm not sure those commands will be overjoyed at expanding out to thousands of rows... You might hit a limit around 100 or a couple hundred.

link

answered 10 May '12, 17:01

sideview's gravatar image

sideview ♦
26.4k4544
accept rate: 47%

edited 10 May '12, 17:03

0

Maybe this one could help with some inspiration? Include zero count in stats count on Splunk Answers

link

answered 10 May '12, 14:56

Ayn's gravatar image

Ayn
26.0k3717
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×7

Asked: 09 May '12, 18:36

Seen: 623 times

Last updated: 10 May '12, 17:03

Related questions

Count events with blank or null values

Alert when count = 0

Fillnull not working on my search

Pulldown cascade with a sometimes missing data value

Adding field to results of count querry

count(failure) is returning 0 always

SingleValue always displays N/A if count==0

[closed] stats count should give 0 count for non-matching keyword

Copyright © 2005-2012 Splunk Inc. All rights reserved.