Let take an example:
Suppose I have 6 cards and I am frequently using few cards and rests of the cards are not used. Whenever we use stats count, we will get the count of those cards which are used but I want the information of all cards. So using the below query we can get the count of all the cards.Query:
index=carecreditpayservice_prod ("User Entered CardType is :: VISA" OR "User Entered CardType is :: JCB"Ā OR "User Entered CardType is :: MASTER" OR "User Entered CardType is :: MAESTRO"Ā Ā OR "User Entered CardType is :: DISCOVER" OR "User Entered CardType is :: CareCredit")|stats count by msg.messageĀ
In below screenshot we can see the value of those cards which has non-zero count.
Now if I want to see the total list of cards even the ones which has zero count.
Query:
index=carecreditpayservice_prod ("User Entered CardType is :: VISA" OR "User Entered CardType is :: JCB"Ā OR "User Entered CardType is :: MASTER" OR "User Entered CardType is :: MAESTRO"Ā Ā OR "User Entered CardType is :: DISCOVER" OR "User Entered CardType is :: CareCredit")|stats count by msg.message |eval msg.message="User Entered CardType is :: VISA,User Entered CardType is :: JCB,User Entered CardType is :: MASTER,User Entered CardType is :: MAESTRO,User Entered CardType is :: DISCOVER,User Entered CardType is :: CareCredit"Ā | makemv delim="," msg.message| mvexpand msg.message | append [search index=carecreditpayservice_prod ("User Entered CardType is :: VISA" OR "User Entered CardType is :: JCB"Ā OR "User Entered CardType is :: MASTER" OR "User Entered CardType is :: MAESTRO"Ā Ā OR "User Entered CardType is :: DISCOVER" OR "User Entered CardType is :: CareCredit") ] | stats sum(eval(if(isnull(_time),0,1))) as count by msg.message
If you are still facing issue regarding how to show zero count fields in stats command topic Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on š Social Networks, happy SplunkingĀ >š
