topic Re: Display a custom text when results=0 in Splunk Search

Display a custom text when results=0

Richy_s — Mon, 01 Jul 2024 11:19:50 GMT

How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found. Search should be run for 30days, with a span of 1day.

Output should be -

_time results

04-23-2024 "No events found"

06-30-2024 23

Re: Display a custom text when results=0

ITWhisperer — Mon, 01 Jul 2024 11:25:45 GMT

| eval results=if(results=0,"No events Found",results)

Re: Display a custom text when results=0

Richy_s — Mon, 01 Jul 2024 12:59:26 GMT

@ITWhisperer Thank you for your response. But it did not work. I don't get any results.

Re: Display a custom text when results=0

PickleRick — Mon, 01 Jul 2024 13:00:26 GMT

If you're using the timechart command, it generates zero count for periods when there is no values. Otherwise you need to use this approach https://www.duanewaddle.com/proving-a-negative/

Re: Display a custom text when results=0

ITWhisperer — Mon, 01 Jul 2024 13:03:00 GMT

Please share your full search so we might be able to determine why you are not getting any results.

Re: Display a custom text when results=0

Richy_s — Mon, 01 Jul 2024 16:03:41 GMT

So I have a data source which is very low volume and is not expected to have events at all (like only if there is an unexpected event, it logs that). I have a requirement to produce a report showing there were no unexpected events in last 90days. I tried following search query but it is not giving the results per day.

index=foo | timechart span=1d count as event_count by sourcetype | append [|stats count as event_count | eval text="no events found"]

PS - the count you are seeing below is for the other sourceytpe that is under the same index=foo, and the sourcetype where the count is 0 is displayed at the bottom ( sourcetype name is not displayed as there are no events for that sourcetype).

I want my output to be specific to this sourcetype and display count = 0 for all the days where the data is not present.

Re: Display a custom text when results=0

ITWhisperer — Mon, 01 Jul 2024 16:39:40 GMT

If you know all the sourcetypes you are interested in (A, B, C, D, E, F in my example), you could do something like this

| timechart span=1d count as event_count by sourcetype usenull=f | foreach A B C D E F [| eval <<FIELD>>=coalesce(<<FIELD>>,0) | eval <<FIELD>>=if(<<FIELD>>==0,"No events found",<<FIELD>>)]

Re: Display a custom text when results=0

MuS — Tue, 02 Jul 2024 00:00:26 GMT

Another example here:
Solved: Re: How to use eval if there is no result from the... - Splunk Community

Re: Display a custom text when results=0

Richy_s — Wed, 03 Jul 2024 12:41:06 GMT

Thank you @ITWhisperer. This seems to be working however it is not displaying the "No events found" where there are 0 or blank events. Attached snapshot below. Also, can you please explain the query.

Re: Display a custom text when results=0

ITWhisperer — Wed, 03 Jul 2024 17:23:08 GMT

Try putting the <<FIELD>> on the right-hand side of the assignment in single quotes (since you have chosen to hide your sourcetypes, it could be that they have special characters in which the single quotes will deal with)

| timechart span=1d count as event_count by sourcetype usenull=f | foreach A B C D E F [| eval <<FIELD>>=coalesce('<<FIELD>>',0) | eval <<FIELD>>=if('<<FIELD>>'==0,"No events found",'<<FIELD>>')]

Re: Display a custom text when results=0

Richy_s — Thu, 04 Jul 2024 10:38:33 GMT

That worked, one last thing, how do I display only specific sourcetype out of (A B C D E) for where event for each day?

Re: Display a custom text when results=0

ITWhisperer — Thu, 04 Jul 2024 10:43:12 GMT

Not sure I understand the requirement - do you want to remove the sourcetypes which have events every day? Please clarify

Re: Display a custom text when results=0

Richy_s — Thu, 04 Jul 2024 16:16:41 GMT

That worked!! One last thing, how do I display only specific sourcetype out of (A B C D E) for where the events for all the days=0. reword this statement

Re: Display a custom text when results=0

ITWhisperer — Thu, 04 Jul 2024 16:51:11 GMT

There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the count is still zero, there were no events for that sourcetype.