In this blog we are going to analyze the splunk visualization command which is to show zero count fields in stats command and When we use stats command we can see only those values which has its count(>0). So here we will talk about those values which is available in events but we are not getting any counts (=0).


Let take an example:
Suppose I have 6 cards and I am frequently using few cards and rests of the cards are not used. Whenever we use stats count, we will get the count of those cards which are used but I want the information of all cards. So using the below query we can get the count of all the cards.Query:
index=carecreditpayservice_prod ("User Entered CardType is :: VISA" OR "User Entered CardType is :: JCB"Ā  OR "User Entered CardType is :: MASTER" OR "User Entered CardType is :: MAESTRO"Ā Ā  OR "User Entered CardType is :: DISCOVER" OR "User Entered CardType is :: CareCredit")|stats count by msg.messageĀ 

In below screenshot we can see the value of those cards which has non-zero count.

Now if I want to see the total list of cards even the ones which has zero count.

Query
:

index=carecreditpayservice_prod ("User Entered CardType is :: VISA" OR "User Entered CardType is :: JCB"Ā  OR "User Entered CardType is :: MASTER" OR "User Entered CardType is :: MAESTRO"Ā Ā  OR "User Entered CardType is :: DISCOVER" OR "User Entered CardType is :: CareCredit")|stats count by msg.message |eval msg.message="User Entered CardType is :: VISA,User Entered CardType is :: JCB,User Entered CardType is :: MASTER,User Entered CardType is :: MAESTRO,User Entered CardType is :: DISCOVER,User Entered CardType is :: CareCredit"Ā | makemv delim="," msg.message| mvexpand msg.message | append [search index=carecreditpayservice_prod ("User Entered CardType is :: VISA" OR "User Entered CardType is :: JCB"Ā  OR "User Entered CardType is :: MASTER" OR "User Entered CardType is :: MAESTRO"Ā Ā  OR "User Entered CardType is :: DISCOVER" OR "User Entered CardType is :: CareCredit") ] | stats sum(eval(if(isnull(_time),0,1))) as count by msg.message


If you are still facing issue regarding how to show zero count fields in stats command topic Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on šŸ‘ Social Networks, happy SplunkingĀ >šŸ˜‰