I'm trying to create a dashboard that shows the status of a few applications running on a server. I'm using the Linux for Splunk app and I'm running ps and top every minute or two. The search works fine, and I use count to see if the process is running. When I try to display it, it correctly shows "Yes" if count>0, but it shows "N/A" if count==0 instead of "No". I found a similar question here, but it was never answered. I also tried using fillnull as outlined here so that there is always a search result, but that doesn't seem to work either. I still get "N/A" when there are no results (but it still works and displays "Yes" if count>0). Is there any way to get SingleValue to display something other than "N/A" if there are no results? I'm relatively new to Splunk, so any help is appreciated. Thanks!
Here is my current code:
<view template="dashboard.html">
This :
... | stats count
will return 0 if there's no results
this :
... | stats count by watch
will return nothing if there's no results, because there's no 'watch' to split over, you dont get 0
, so the rangemap doesnt have a value.
So you need to add a dummy line with lista=0
when appropriate.
... | stats max(count) as lista
| appendpipe [ stats count | eval lista=if(count==0,0,NULL) | fields - count ] | ...
etc etc. You could move the check forward in the search too, but this is the easiest way to explain it