All Apps and Add-ons

Using Status Indicator Visualization with no events found (count should be set to 0 instead of NULL)

brandonbachman
Engager

I am using the following query to create a visualization that turns green if there are events, and if there are no events the background turns red.

server="SERVER-1"
| stats count by server
| eval server="SERVER-1", color=if(count<=0, '#dc4e41", "#65a637"),icon=if(count<=0,"times-circle","check-circle")
| table server icon color count

The visualization works correctly when there are events found (the background is green with a check icon).
However, when there are no events found, a message appears that says "No results found. Try expanding the time range."

Instead of "No results found" I would like count to be set to 0 which will make the background turn to red and make the icon change.
How do I make it so count is set to 0 so that the values for color and icon change to red and "times-circle"?

When there are no events I need count to be set to 0 instead of null

0 Karma
1 Solution

493669
Super Champion

Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:

 | appendpipe [stats count | where count=0]

View solution in original post

493669
Super Champion

Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:

 | appendpipe [stats count | where count=0]

joshimeister
Loves-to-Learn Lots

Hello @493669 ,

Im running into the same issue with the 0 value. Not sure what im doing wrong. I tried your suggestion but that didnt work for me.

Original query without your suggestion:

<query><basic query> error_field="*CRASHED*"
 | rex field=error_field "<error field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color</query>

 

With your suggestion:


<query><basic query> error_field="*CRASHED*"
 | rex field=error_field "<error_field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color
| appendpipe [stats count | where crashed_count=0]</query>

  

0 Karma

brandonbachman
Engager

That worked, thank you!

0 Karma
Get Updates on the Splunk Community!

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...