Re: How to create a dummy row if no data?

nwoolley · ‎10-18-2019

If there is no data for a table I want to create a row whilst waiting for the event to appear and add the word "Running" to the table until an event appears

to the query below

index=cronhost_billing sourcetype=run_billing ": SCRIPT" (group*) | rex field=_raw max_match=0 "[A-Z]+: (?

adonio · ‎10-18-2019

try this:

   index=cronhost_billing sourcetype=run_billing ": SCRIPT" (group*) | rex field=_raw max_match=0 "[A-Z]+: (?
    |appendpipe [stats count| eval message="RUNNING"  | where count==0 |table message]

there are many answers in this portal regarding this, read here more:
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
https://answers.splunk.com/answers/660786/how-to-handle-gracefully-no-results-found.html

note, your regex broke due to special characters, next time use the 101010 button when posting code

hope it helps

nwoolley · ‎10-18-2019

To expand - What I am trying to do is do a search for Today if there are no events that means the event has not completed so I want to create a row saying "Running" in the time column if there are no events so I guess I need an If statement and a method to create a dummy row if no data

How to create a dummy row if no data?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...