Hi,
How to get a single value visualization to display "0" instead of "N/A" in splunk dashboard when there is no matching event?
index=main source="blr-trend" | stats count values(COMP_NAME) AS Computer_NAME,values(DOMAIN) AS Domain, values(MAC) AS MAC, values(ROOTKIT) AS RootKit, values(LOGON_USER) AS Logon_User by ENGINE |reverse| streamstats current=t count AS SERIAL | where SERIAL > 1 |reverse| fields - SERIAL | stats sum(count) AS total
For this query i m getting N/A, but need 0 is results are N/A
Thanks,
Vijay
I did it by adding this to the end of my search. your_single_val is changed to whatever field populates your singlevalue.
| appendpipe [| stats count AS mycount] |
EVAL your_single_val =IF(mycount==0,"NO EVENTS",your_single_val) |
Thanks for your Query.
But i need results of stats sum(count) AS mycount, but this search is not populating single value
Maybe your search is not correct. Can you post some sample event data?
If use below query
index=main source="blr-trend" | stats count values(COMP_NAME) AS Computer_NAME,values(DOMAIN) AS Domain, values(MAC) AS MAC, values(ROOTKIT) AS RootKit, values(LOGON_USER) AS Logon_User by ENGINE |reverse| streamstats current=t count AS SERIAL | where SERIAL > 1 |reverse| fields - SERIAL | appendpipe [| stats count AS mycount] |
EVAL your_single_val =IF(mycount==0,"NO EVENTS",your_single_val) |
I m getting below results. In Visuliazation it shows ENGINE values but i need count of ENGINE in Visuliazation
***ENGINE count RootKit
9.850.1008 2 2.97.1148 2.972.1127***
Add this to the end of your search:
| eval total=if(isnull(total),0,total)
No luck, it is not displaying "0"
What visualization are you using? Single value?
What are you trying to do here. This search seems all out of whack.
When i add this search | stats count AS total | eval total=if(total=="N/A",0,total) it displays value "0" when there are no results, but her if there is any results, then i m getting wrong count.
Here i need sum count , but when i need sum then search (| eval total=if(total=="N/A",0,total) )is not working. I have this search(| fillnull value="unknown" governance) as well but still no luck
I updated my answer too. Please try the new version.