Dashboards & Visualizations

サーチ結果が返ってこない場合のダッシュボードの表示

dt01_2019
New Member

サーチ結果が返ってこない場合でもダッシュボードに特定の文字列を表示したい場合、サーチ文をどのように設定したらよいか教えてください。
【やりたいこと】
エラーがある場合のみログが出力されるため、エラーログが無ければSplunkに取り込まれない。その場合、ダッシュボードには「エラーなし」と表示したい。

If you want to display a specific character string on the dashboard even if the search results are not returned, please tell me how to set the search text.
【Thing you want to do】
Log is output only when there is an error, so if there is no error log, it will not be taken into Splunk. In that case, I want to display "No error" on the dashboard.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try appendpipe. Insert this before your table command to replace the "No results found" message.

... |  appendpipe [ stats count | eval <some field from your query>="No error" | where count==0 | fields - count ]
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try appendpipe. Insert this before your table command to replace the "No results found" message.

... |  appendpipe [ stats count | eval <some field from your query>="No error" | where count==0 | fields - count ]
---
If this reply helps you, an upvote would be appreciated.
0 Karma

dt01_2019
New Member

Thank you very much.

Every answer was correct, but this answer was the closest to my image.

0 Karma

to4kawa
Ultra Champion
<form>
  <label>サーチ結果がない場合、文字列を表示する</label>
  <fieldset submitButton="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-1h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal splunkd kbps>1</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
             <done>
             <condition match="$job.resultCount$==0">
               <set token="showtab1">true</set>
             </condition>
             <condition match="$job.resultCount$!=0">
               <unset token="showtab1"></unset>
             </condition>
           </done>
        </search>
      </event>
    </panel>
    </row>
    <row>
    <panel depends="$showtab1$"><html><h2>エラーなし</h2></html></panel>
  </row>
</form>

簡易的に作ってみました。
検索結果がない場合、2つめのHTMLパネルを表示します。
こちらをベースに作ってみてはどうでしょうか?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>