topic Re: Timechart with no data gives "No results found" in Splunk Search

Timechart with no data gives "No results found"

burwell — Fri, 01 Dec 2017 23:21:36 GMT

I want to show the number of bad errors each minute over an hour time period to show as an embedded report.

I am using:

   index=foo "Bad error" | timechart span=1m count as "Bad Error"

I am hitting the usual problem where if there were no bad errors in one hour the result is just "No results found" rather than a blank linechart.

I've spent time looking at the fillnull suggestions etc but can't find anything that works for me. Ideas?

Re: Timechart with no data gives "No results found"

niketn — Sat, 02 Dec 2017 03:13:12 GMT

@burwell, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper example. Basically Splunk gives your two attributes i.e. depends and rejects, which can be attached to any visualization element like row, panel or chart etc and depending on whether the required token is set or unset they can show or hide the same.

In your case you can use the <progress> or <done> search event handler to access one of default job token i.e. $job.resultCount$ which will be 0 in case of no results found.

<done>
    <condition match=" 'job.resultCount' == 0">
        <set token="show_html">true</set>
    </condition>
    <condition>
        <unset token="show_html"/>
    </condition>
<done>

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done

Then use the token $show_token$ with depends attribute to show timechart only when results exist. You can also add an HTML panel with rejects attribute with the same token to show your custom error message in case no no results are found and $show_tokens$ is not set.

<chart rejects="$show_html$">
   ...
</chart>
<html depends="$show_token$">
     <div style="font-weight:bold;font-size:150%;text-align:center;color:red">
          No results found for selected timerange. Please relax the search filters or increase the time range.
     </div>
</html>

Try the following run anywhere dashboard:

<form>
  <label>Show hide using depends and rejects on no results found</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart rejects="$show_html$">
        <search>
          <query>index=_internal sourcetype=splunkd log_level="ERROR"
          | timechart count</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <progress>
            <condition match="$job.resultCount$ == 0">
              <set token="show_html">true</set>
            </condition>
            <condition>
              <unset token="show_html"/>
            </condition>
          </progress>         
        </search>
      </chart>
      <html depends="$show_html$">
         <div style="font-weight:bold;font-size:150%;text-align:center;color:red">
              No results found for selected timerange. Please relax the search filters or increase the time range.
         </div>
      </html>
    </panel>
  </row>
</form>

Re: Timechart with no data gives "No results found"

burwell — Sat, 02 Dec 2017 06:27:43 GMT

Thanks for the detailed answer. Unfortunately, I need to embed the report in an iframe. As I understand it, I can't embed a dashboard.

Re: Timechart with no data gives "No results found"

niketn — Sat, 02 Dec 2017 11:24:05 GMT

@burwell, there is a crooked way of embedding a dashboard to your webpage, but it opens up clickjacking attack. Refer to my answer: https://answers.splunk.com/answers/582632/how-do-you-use-custom-xml-in-reports-from-dashboar.html#answer-584431

However, if you want to stick to Report you can try a search like the following:

index=_internal sourcetype=splunkd log_level=ERROR
| timechart count
| appendpipe 
    [| makeresults
    |  eval count=0]
    |  dedup _time

It appends a dummy row for current time with count 0. If timechart with any record exist current _time will have either 0 or positive count. Hence dedup _time will reject appended dummy row.
If timechart returns no results it will keep the dummy row for current time with count=0 hence it will show blank timechart instead of no results found.

For you sample query you can try the following:

 index=foo "Bad error" 
| timechart span=1m count as "Bad Error"
| appendpipe 
    [| makeresults
    |  eval "Bad Error"=0]
    |  dedup _time

Please see if one of these options works for you and confirm.

Re: Timechart with no data gives "No results found"

skoelpin — Sat, 02 Dec 2017 15:17:38 GMT

Slow clap. This is awesome @niketnilay

Re: Timechart with no data gives "No results found"

niketn — Sat, 02 Dec 2017 16:00:12 GMT

@skoelpin, thanks it means a lot 🙂

Re: Timechart with no data gives "No results found"

woodcock — Sat, 02 Dec 2017 20:30:48 GMT

Try this:

index=foo "Bad Error"
| appendpipe [|makeresults]
| timechart span=1m count(searchmatch("Bad error")) AS "Bad Error"

Re: Timechart with no data gives "No results found"

burwell — Sun, 03 Dec 2017 02:28:59 GMT

Hi Woodcock. So my "Bad Error" code was really status="500" and so I couldn't get this method to work. I wasn't sure what to put in the searchmatch..

Re: Timechart with no data gives "No results found"

burwell — Sun, 03 Dec 2017 02:30:21 GMT

Hi. Yes I did not want to open up clickjacking. Your solution above works perfectly! We see an empty timechart when there are no errors instead of the "No results" error. Perfect. Thanks.

Re: Timechart with no data gives "No results found"

niketn — Sun, 03 Dec 2017 06:37:40 GMT

Yay! Glad one of the options worked 🙂

Re: Timechart with no data gives "No results found"

woodcock — Sun, 03 Dec 2017 16:49:25 GMT

Try this:

index=foo status="500"
| appendpipe [|makeresults]
| timechart span=1m count(eval(status="500")) AS "Bad Error"

It should be much simpler.

Re: Timechart with no data gives "No results found"

burwell — Mon, 04 Dec 2017 01:35:32 GMT

Thanks Woodcock. This one does work and is about the same amount of time as the answer @niketnilay gave which I already accepted. I really appreciate the solution.

Re: Timechart with no data gives "No results found"

dbarnesroomstog — Thu, 15 Mar 2018 14:36:02 GMT

This worked well for me.

Re: Timechart with no data gives "No results found"

niketn — Thu, 15 Mar 2018 17:55:59 GMT

@dbarnesroomstogo, I am glad you found the answer useful. Do up vote the comment/s that helped 🙂