Re: Singlevalue display 0 instead of N/A

ipops · ‎09-01-2016

I have a simple search

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count

This value is displayed as a SingleValue on a dashboard. Problem is when the search returns no results, the Singlevalue Displays N/A.
How can i make it display 0 if no search results are returned?

I tried | fillnull 0 but made no difference

inventsekar · ‎09-11-2016

sundareshr · ‎09-02-2016

Try this

index=_internal | timechart span=1h count | append [|makeresults | eval count=0 | table _time count] | head 2

*OR*

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2

ipops · ‎09-01-2016

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count

That worked. Issue now is my singlevalue trendline option disappeared

dbcase · ‎09-01-2016

Thats because there is not time reference. Try adding by _time to the end.

ipops · ‎09-01-2016

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time

This restores the sparkline value but shows N/A if no search results are found. I need to display 0 if the search returns nothing

dbcase · ‎09-01-2016

Did you try this?

https://answers.splunk.com/answers/442777/how-to-get-a-single-value-visualization-to-display.html

inventsekar · ‎09-01-2016

from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| eval isEvent=if(searchmatch("source"),1,0)
| stats count as myCount sum(isEvent) AS isEvent
| eval result=if(isEvent>0, isEvent, myCount)
| table result

inventsekar · ‎09-01-2016

from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats count as myCount
| eval result=if(myCount == 0, 0, myCount)
| stats result by _time

ipops · ‎09-01-2016

That search fails

Error in 'stats' command: The argument 'result' is invalid.

inventsekar · ‎09-01-2016

ok, lets try this -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time

inventsekar · ‎09-02-2016

Hi, may i know if this search works fine -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time

ipops · ‎09-02-2016

sorry no, All of the searches provided work fine if there is a search result. If nothing is returned the singlevalue is blank instead of displaying 0

inventsekar · ‎09-02-2016

inventsekar · ‎09-01-2016

to get the singlevalue trendline option, please check -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | timechart count

ipops · ‎09-01-2016

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count | timechart count

This returns the sparkline but shows N/A if no search results are found

dbcase · ‎09-01-2016

This one worked for me

https://answers.splunk.com/answers/442777/how-to-get-a-single-value-visualization-to-display.html

inventsekar · ‎09-01-2016

please check this one -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count

or, maybe -

sourcetype=ivrdata IVR_Message="Platform" IVR_Value="2" | stats count as Count

tested and this works fine -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2

Singlevalue display 0 instead of N/A

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!