I am running a search query like this
index=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur | sort -cur
the return value of the above search sometimes return both values and sometime only one.
i.e.
Cur dc(ASP_NET_SessionId)
1 15
0 2
And sometimes I may get,
Cur dc(ASP_NET_SessionId)
1 12
And sometimes I may get, "No results found"
I suspect that I am not seeing the 2nd row (or No results found) here most likely because of the fact that the return value of dc(ASP_NET_SessionId) may be 0.
My question is, is there a way to modify the search so that I always get two rows even if the value is zero. I just want to display as zero and not a missing line or "No results found". So it should look like
Cur dc(ASP_NET_SessionId)
1 0
0 0