topic Re: Display result=0 rather than "No Results Found" in Splunk Search

Display result=0 rather than "No Results Found"

dpdwibedy — Mon, 27 Jul 2020 18:44:29 GMT

Hi All,

I'm using a query to get the total total count of a field ( different error messages ) .
Here is the search and stats being displayed:

index=sp_dev "ProductHandler" | rex field=message "operation\\\":\\\"(?<ErrorMessage>[A-Za-z]+)\\\""| stats count(ErrorMessage) as TotalErrors

TotalErrors

xxxx

Now I want to alert a trigger , when the error count is "0"

If I use :

index=sp_dev "ProductHandler" | rex field=message "operation\\\":\\\"(?<ErrorMessage>[A-Za-z]+)\\\""| stats count(ErrorMessage) as TotalErrors | where TotalErrors=0

It is not giving me result as "0" , rather than "No Results Found" .

If I use "where TotalErrors>0" I see the results.

So question is , how can I convert the "No Results Found" to value as "0"

Thanks,

Re: Display result=0 rather than "No Results Found"

richgalloway — Mon, 27 Jul 2020 20:56:46 GMT

The command

| where TotalErrors=0

tells Splunk to show the results only if there are no errors found in the index, but if there are no errors then there's nothing to display so you get "No results found".

To send an alert when you have no errors, don't change the search at all. Just change the alert to trigger when the number of results is zero.

If you really want a zero when there are no results, then try appendpipe.

Re: Display result=0 rather than "No Results Found"

dpdwibedy — Mon, 27 Jul 2020 21:36:29 GMT

@richgalloway , Thanks much . That worked.