topic Re: Single value return N/A instead of 0 in Splunk Search

Single value return N/A instead of 0

bckq — Sun, 03 Jun 2012 17:39:40 GMT

Hi. I have two field Single Value.
First is using search:

source="/var/log/online-alerts_splunk2.log" online_aname="*die*" AND NOT online_aname="*blog*error*died*" AND online_avalue>0| stats count by online_ahostname,online_aname,online_avalue | table online_ahostname online_aname  online_avalue | dedup online_ahostname online_aname  | stats count as lista  | rangemap field=lista low=0-0 default=severe

Second is using search:

index=mail watchdog | rex field=_raw "From = \"watchdog@(?<watch>.*) " | stats count by watch | stats max(count) as lista | rangemap field=lista low=0-4 default=severe

First search when not find any result display "0" in the SingleValue field. Second search when not find any result display "N/A". Could you help me to fix it? I need value "0" in second search too.

Re: Single value return N/A instead of 0

sideview — Mon, 04 Jun 2012 03:51:33 GMT

SingleValue has a number of odd corner cases where it displays "N/A" when 0 would be better. For instance if you're using postprocess, but the base search has 0 rows, it'll say "N/A". And that's even if the postprocess is something like "stats count", where it should thus say "0".

I think what's happening here, is that there are no values of watch defined, so stats count by watch is an empty result set. You can sort of repair this by having

This would mean that in the case where the 'watchless events' are the only events there, at least a 0 will make it through the whole search pipeline.

---UPDATE ------

Here is an updated search that should work even when you have no events at all matched in the initial search. I apologize but I assumed in my initial answer that you did have events returned consistently for 'index=mail watchdog', but that there was not always a 'watch' value extracted.

Anyway, here is the more robust form of the same idea. This search is resilient to the case when it matches no events at all.

Re: Single value return N/A instead of 0

bckq — Thu, 07 Jun 2012 10:31:11 GMT

Thanks for your reply. Unfortunately after replacing search by your code nothing has changed. Any other ideas? :<

Re: Single value return N/A instead of 0

sideview — Thu, 07 Jun 2012 16:03:04 GMT

If you test the searches by running them in flashtimeline, do they generate a result row? One way or another SingleValue prints "N/A" either when there are zero results, or if there's been an error or search exception along the way. Make sure you have a Message module so that search exceptions are displayed, and test the search manually to make sure it's returning a row. I may well have had a typo in there.

Re: Single value return N/A instead of 0

bckq — Tue, 19 Jun 2012 15:11:19 GMT

In flashtimeline I get message "No results found. Inspect ..." when there are not any alerts. Code that you pasted return correct values if there are any. So it looks like "fillnull" is not working as we want. I don't understand what do you mean "Message module". Where can I find it? Regards.

Re: Single value return N/A instead of 0

sideview — Tue, 19 Jun 2012 18:14:16 GMT

I see. I'll update my answer.

Re: Single value return N/A instead of 0

bckq — Mon, 06 Aug 2012 18:01:25 GMT

Your update works for me. Thank you very much! 🙂