Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Using Status Indicator Visualization with no event...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the following query to create a visualization that turns green if there are events, and if there are no events the background turns red.
server="SERVER-1"
| stats count by server
| eval server="SERVER-1", color=if(count<=0, '#dc4e41", "#65a637"),icon=if(count<=0,"times-circle","check-circle")
| table server icon color count
The visualization works correctly when there are events found (the background is green with a check icon).
However, when there are no events found, a message appears that says "No results found. Try expanding the time range."
Instead of "No results found" I would like count to be set to 0 which will make the background turn to red and make the icon change.
How do I make it so count is set to 0 so that the values for color and icon change to red and "times-circle"?
When there are no events I need count to be set to 0 instead of null
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:
| appendpipe [stats count | where count=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:
| appendpipe [stats count | where count=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @493669 ,
Im running into the same issue with the 0 value. Not sure what im doing wrong. I tried your suggestion but that didnt work for me.
Original query without your suggestion:
<query><basic query> error_field="*CRASHED*"
| rex field=error_field "<error field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color</query>
With your suggestion:
<query><basic query> error_field="*CRASHED*"
| rex field=error_field "<error_field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color
| appendpipe [stats count | where crashed_count=0]</query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked, thank you!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
