Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to show a message when no search results are found?

jamie1
Communicator
‎05-24-2023 08:08 AM

Hi There,

I have checked multiple other discussions on this forum with people after a similar solution, however, they seemed quite specific, whereas I'm looking for a general method to accomplish this.

Essentially I just want a simple way to show a message of some kind on every dashboard panel that currently doesn't have results to show, instead of the typical "No search results returned".

Any help would be appreciated,

Jamie

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 10:02 AM

OK a bit convoluted, but try this

| appendpipe 
    [| stats count as _count
    | where _count=0
    | fields - _count
    | eval Message="No results at this time"]
| foreach *
    [| eval 1_<<FIELD>>=if("<<FIELD>>"!="Message" AND isnotnull(<<FIELD>>),<<FIELD>>,null())]
| table *
| fields - 1_*

 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 08:23 AM

If only you hadn't mentioned Dashboard Studio - it is reasonably easy to do in SimpleXML dashboards using done handlers to set tokens and hiding/showing panels based on these tokens. The panels could be HTML panels with an appropriate message as desired.

Reply
Solved! Jump to solution

jamie1
Communicator
‎05-24-2023 08:26 AM

Hi @ITWhisperer 

It's a shame to hear that, as I really like the high amount of customisability that comes with using the dashboard studio.

Overall, would you suggest that the classic dashboard editor is better?

Jamie

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 08:34 AM

Personally, I only have one Studio dashboard, and that just to test features to see if it is upto requirements yet. Everything else is with Classic dashboards and, to be fair, I do use a reasonable amount of handlers and CSS to enhance the presentation. For example, I have a panel which is displayed while a base search is running, and another while the chained search for the panel is running, and only display the final result when the chained search has completed.

Reply
Solved! Jump to solution

jamie1
Communicator
‎05-24-2023 08:37 AM

Thank you for your input, I do hope that they add the functionality for this as requested by @gcusello. It does seem like quite a basic implementation so I was actually surprised to find out that it isn't all that simple.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 08:45 AM

If your panel is a table, you could use appendpipe to add a row with a message in if there are no results

| appendpipe [| stats count as _count | where _count == 0 | eval Message="No results have been found at this time, please try again later!"]
Reply
Solved! Jump to solution

jamie1
Communicator
‎05-24-2023 08:51 AM

The issue with that, is that it still shows all of the other fields in the search, I'll attach an image so that you can see what I mean, but it just doesn't look very neat.

Preview file
8 KB
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2023 10:02 AM

OK a bit convoluted, but try this

| appendpipe 
    [| stats count as _count
    | where _count=0
    | fields - _count
    | eval Message="No results at this time"]
| foreach *
    [| eval 1_<<FIELD>>=if("<<FIELD>>"!="Message" AND isnotnull(<<FIELD>>),<<FIELD>>,null())]
| table *
| fields - 1_*

 

Reply
Solved! Jump to solution

jamie1
Communicator
‎05-26-2023 02:56 AM

Hey @ITWhisperer 

I've just tested your recommended search, would this work for all visualisation types? Or just statistic tables?

Thanks,

Jamie

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2023 03:09 AM

Probably not - visualisations are essentially representations of table data. Referring back to my initial response, with SimpleXML/Classic dashboards, you can use tokens in these situations to display/hide panels.

Reply
Solved! Jump to solution

jamie1
Communicator
‎05-26-2023 06:31 AM

Hi There,

The majority of the panels on the dashboard are tables, so I'm going to accept that search as the solution. I do hope that they eventually add the option to display an image or some sort of message for all types of panel when there is no data to be displayed.

Jamie

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-24-2023 08:18 AM

Hi @jamie1 ,

I asked this feature in Splunk Ideas and it's classified as a future feature.

If you couls share your search I could help you in the meantime.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jamie1
Communicator
‎05-24-2023 08:22 AM

Hi Giuseppe,

Yeah it is quite surprising that the feature doesn't already exist.

Only issue with sharing the search, is that there is 10+ searches on the current dashboard.

So I think the best course of action for me is probably to wait for the Splunk team to create the feature.

Thank you anyway though,

Jamie

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...