https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74250#M18689 <P>Thank you for the <CODE>appendpipe</CODE>. I made the following changes as per my requirement. It is working fine now.<BR /> Now Success returns <CODE>0</CODE>, Failure returns <CODE>1</CODE>, No results found returns <CODE>9</CODE>.</P> <PRE><CODE>| eval final = if(status_="exist", 0, 1) | table final | appendpipe [stats count| eval final=9 | where count==0 |table final] | outputlookup output.csv </CODE></PRE> Wed, 25 Jan 2017 09:41:01 GMT biec1 2017-01-25T09:41:01Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74239#M18678 <P>How to print a custom message in a table when <STRONG>No results found</STRONG>, when no logs?</P> <P>example search:</P> <P><STRONG>index=test | eval msg="No logs!" | table msg</STRONG></P> <PRE><CODE>No results found. </CODE></PRE> <P>but I want table</P> <PRE><CODE> msg | No logs! | </CODE></PRE> Wed, 13 Jun 2012 13:58:18 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74239#M18678 mewtwo 2012-06-13T13:58:18Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74240#M18679 <P>This occurs because the search <CODE>index=test</CODE> returns no events, which gives <CODE>eval</CODE> no objects to decorate with the "msg" field.</P> <P>Since what you seem to want here is a no-op search, I suggest the following search string, which appears to yield the desired results :</P> <P><CODE>| stats count | eval msg="No logs!" | table msg</CODE></P> <P>The <CODE>| stats count</CODE> essentially acts as a no-op but yields one result that <CODE>eval</CODE> can then decorate with the "msg" field.</P> Wed, 13 Jun 2012 17:39:52 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74240#M18679 hexx 2012-06-13T17:39:52Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74241#M18680 <P><CODE>| stats count | eval msg = if(count == 0, "No Msg!","Msgs Exist!") | table msg</CODE></P> <P>Building from the mighty hexx's answer, I put in an if statement to only show "No Msg!" if there were indeed no events. eval msg="No logs!" would display the no log message even when it does return.</P> Wed, 13 Jun 2012 18:09:55 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74241#M18680 mikelanghorst 2012-06-13T18:09:55Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74242#M18681 <P>Just looking at the code, you only get a message stating whether data was found or not. Is there a way to show data when data exists, but the message "No Msg!" if there isn't? Sorry to rez an old post.</P> Fri, 19 Oct 2012 02:08:06 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74242#M18681 stephenho 2012-10-19T02:08:06Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74243#M18682 <P>I also have the same question as stephento</P> Wed, 13 Mar 2013 16:14:08 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74243#M18682 Splunk_U 2013-03-13T16:14:08Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74244#M18683 <P>If you wanted to show results of the instead of "Msgs Exist!" you could do:</P> <P>| stats count | eval msg = if(count == 0, "No Msg!",count) | table msg</P> <P>Sorry to rez an old post but I am searching for a solution on this as well...</P> Fri, 28 Feb 2014 19:16:49 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74244#M18683 MattZerfas 2014-02-28T19:16:49Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74245#M18684 <P>You are a genius, thank you ! </P> Tue, 24 Feb 2015 13:54:50 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74245#M18684 DavidHourani 2015-02-24T13:54:50Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74246#M18685 <P>Of note, this works with a simple "stats count". It does not work if you split your stats over a field (i.e. stats count by host). </P> <P>Also, if using this for a no-volume alert, you can use null as the second argument. Then your alert would be a "if results count &gt; 0".</P> <PRE><CODE>| stats count | eval status=if(count == 0,"No Volume",null) | table status </CODE></PRE> Tue, 08 Dec 2015 14:58:57 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74246#M18685 jeremiahc4 2015-12-08T14:58:57Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74247#M18686 <P>I am trying to include logic ,so that it can handle <CODE>No results found</CODE>.</P> <P>When <CODE>No events found</CODE>,the following returns 9. <BR /> When <CODE>Events Exist</CODE> the final field loses its scope after <CODE>stats</CODE>. <BR /> <CODE>| eval final = if(count=0,9,final)</CODE>:- Here the <CODE>final</CODE> field becomes inaccessible.</P> <PRE><CODE>| eval final = if(status_="exist", 0, 1) | stats count | eval final = if(count=0,9,final) | table final </CODE></PRE> <P>To make <CODE>final</CODE> field accessible after <CODE>stats</CODE>, i used <CODE>| stats count by final</CODE> . <BR /> This created additional problem, when the events are present, <CODE>| stats count by final</CODE> fails.</P> <PRE><CODE>| eval final = if(status_="exist", 0, 1) | stats count by final | eval final = if(count=0,9,final) | table final </CODE></PRE> Tue, 24 Jan 2017 11:16:33 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74247#M18686 biec1 2017-01-24T11:16:33Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74248#M18687 <P>Here is a different approach to doing this. With the query below if it does return results the will be displayed but if the query returns "No results found" then it will display whatever message you have in the eval statement and you can name the column header to whatever you would like as well. Just rename error to something else and change the table to at the end to match that.</P> <PRE><CODE>index=test |appendpipe [stats count| eval error="Your message here" | where count==0 |table error] </CODE></PRE> <P>Basicly just put the <CODE>|appendpipe [stats ...</CODE> after any query and it will display your message if there is no results to display.</P> Tue, 24 Jan 2017 14:15:15 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74248#M18687 MattZerfas 2017-01-24T14:15:15Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74249#M18688 <P>@biec1 Take a look at my answer I just posted and see if that solves your problem.</P> Tue, 24 Jan 2017 14:15:29 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74249#M18688 MattZerfas 2017-01-24T14:15:29Z https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74250#M18689 <P>Thank you for the <CODE>appendpipe</CODE>. I made the following changes as per my requirement. It is working fine now.<BR /> Now Success returns <CODE>0</CODE>, Failure returns <CODE>1</CODE>, No results found returns <CODE>9</CODE>.</P> <PRE><CODE>| eval final = if(status_="exist", 0, 1) | table final | appendpipe [stats count| eval final=9 | where count==0 |table final] | outputlookup output.csv </CODE></PRE> Wed, 25 Jan 2017 09:41:01 GMT https://community.splunk.com/t5/Splunk-Search/Table-message-when-No-results-found/m-p/74250#M18689 biec1 2017-01-25T09:41:01Z