topic Re: Can you help me search to return results even if there are none available? in Splunk Search

Can you help me search to return results even if there are none available?

ryhluc01 — Mon, 14 Jan 2019 16:50:52 GMT

I have 2 source types that run every morning at 8:30am.

If 1 or more does not, I need to still see the source types as having a value of 0 instead of displaying "No results found. Try expanding the time range.".

Overall: I need all the specified source type names to be returned within the results so that I can assign a value of 0 to them.

This is what I have:

index=example sourcetype=exp1 OR sourcetype=exp2
| stats count(_time) as count by sourcetype

The above syntax will let me know how many reports ran in the last 24 hrs at the time we specified (which is what I want).

But, in the event that 1 or both or these reports fail to run, I need to still be able to see each source type within my results.

I would like to assign a 0 value to the count for the source type that didn't generate any results.

Re: Can you help me search to return results even if there are none available?

zonistj — Mon, 14 Jan 2019 18:16:04 GMT

Are you wanting to do this in a dashboard on inline in a search?

Re: Can you help me search to return results even if there are none available?

niketn — Mon, 14 Jan 2019 18:55:52 GMT

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype

Re: Can you help me search to return results even if there are none available?

ryhluc01 — Mon, 14 Jan 2019 19:06:57 GMT

inline search

Re: Can you help me search to return results even if there are none available?

ryhluc01 — Mon, 14 Jan 2019 19:10:42 GMT

@niketnilay You're amazing. This worked perfectly. Thank you so much for your input ^_^

Re: Can you help me search to return results even if there are none available?

niketn — Mon, 14 Jan 2019 21:05:52 GMT

Glad you found this working!

Re: Can you help me search to return results even if there are none available?

CryoHydra — Tue, 09 Apr 2019 11:04:51 GMT

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count(_time) as total_count eval(count(sourcetype="exp1") as ex1_count eval(count(sourcetype="exp2")) as ex2_count by index

This is another tweak you can employ in your search 😉