topic Re: How do I append a specific field with specific values an counts to "no results" search results? in Splunk Search

How do I append a specific field with specific values an counts to "no results" search results?

williamcharlton — Wed, 13 Mar 2019 14:41:31 GMT

I've read about the many ways to have a dashboard panel show something other than "No results found", but none of them meet my goal. If the search on my panel yields no events, what I want to do is to construct the same output that would typically appear, the only difference being that the count attribute of each field value will be 0.

Details: The final piece of my search is .... AND (Type = "Critical" OR Type = "Error") | stats count by Type. So, if events are returned, and there is at least one each Critical and Error, then I'll see one field (Type) with two values (Critical and Error). The count attribute for each value is some positive, non-zero value, e.g., if there are 5 Critical and 6 Error, then:

Type       count
Critical   5
Error      6

So, how do I use, e.g., append or appendpipe to produce field Type with value Critical, count=0 and value Error, count = 0?

Type       count
Critical   0
Error      0

Re: How do I append a specific field with specific values an counts to "no results" search results?

somesoni2 — Wed, 13 Mar 2019 15:06:03 GMT

Give this a try

.... AND (Type = "Critical" OR Type = "Error") | stats count by Type
| appendpipe [| stats count | where count=0 | eval Type="Critical Error" | makemv Type | mvexpand Type]

Re: How do I append a specific field with specific values an counts to "no results" search results?

renjith_nair — Wed, 13 Mar 2019 15:06:33 GMT

@williamcharlton0028,

Try adding this to your search

| append 
    [| stats count 
    | eval Type ="Critical,Error"
    | makemv Type delim=","
    | mvexpand Type ]
| stats max(count) as count by Type

Re: How do I append a specific field with specific values an counts to "no results" search results?

vnravikumar — Wed, 13 Mar 2019 15:11:02 GMT

Hi @williamcharlton0028

Try like

yourquery| stats count by Type 
| appendpipe 
 [| stats count 
 | where count=0 
 | eval Type="Critical",count=0 
 | appendpipe 
     [| eval Type="Error",count=0]]

Re: How do I append a specific field with specific values an counts to "no results" search results?

williamcharlton — Wed, 13 Mar 2019 15:38:08 GMT

@vnravikumar works well except that it appends unconditionally, i.e., in my dashboard panel, when results are returned, I have two Critical values (>0 and 0) and two Error values (>0 and 0). Should append only when query returns no results. I see the | where count==0 but its apparently not working

Re: How do I append a specific field with specific values an counts to "no results" search results?

vnravikumar — Wed, 13 Mar 2019 15:57:43 GMT

Try this

| appendpipe 
    [| stats count 
    | where count=0 
    | eval Type="Critical",count=0 
    | appendpipe 
        [| eval Type="Error",count=0]]

Re: How do I append a specific field with specific values an counts to "no results" search results?

williamcharlton — Wed, 13 Mar 2019 16:06:37 GMT

@vnravikumar That did it. So, you changed it so that | eval Type="Critical",count=0 | appendpipe [| eval Type="Error",count=0] is performed only when count == 0. I see - thank -you

Re: How do I append a specific field with specific values an counts to "no results" search results?

vnravikumar — Wed, 13 Mar 2019 16:11:59 GMT

if resolved, please accept.

Re: How do I append a specific field with specific values an counts to "no results" search results?

williamcharlton — Wed, 13 Mar 2019 16:28:56 GMT

@ vnravikumar: accepted. Please update your original answer for future viewers?

Re: How do I append a specific field with specific values an counts to "no results" search results?

vnravikumar — Wed, 13 Mar 2019 16:31:17 GMT

thanks. I had updated