I have a simple search
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count
This value is displayed as a SingleValue on a dashboard. Problem is when the search returns no results, the Singlevalue Displays N/A.
How can i make it display 0 if no search results are returned?
I tried | fillnull 0 but made no difference
Hi ipops, tested and this works fine.. thanks to Sundaresh Sir.
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2
Try this
index=_internal | timechart span=1h count | append [|makeresults | eval count=0 | table _time count] | head 2
*OR*
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count
That worked. Issue now is my singlevalue trendline option disappeared
Thats because there is not time reference. Try adding by _time to the end.
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time
This restores the sparkline value but shows N/A if no search results are found. I need to display 0 if the search returns nothing
from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| eval isEvent=if(searchmatch("source"),1,0)
| stats count as myCount sum(isEvent) AS isEvent
| eval result=if(isEvent>0, isEvent, myCount)
| table result
from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats count as myCount
| eval result=if(myCount == 0, 0, myCount)
| stats result by _time
That search fails
Error in 'stats' command: The argument 'result' is invalid.
ok, lets try this -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time
Hi, may i know if this search works fine -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time
sorry no, All of the searches provided work fine if there is a search result. If nothing is returned the singlevalue is blank instead of displaying 0
lets check this -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time | replace "N/A" WITH "0" IN Count
or
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time | replace "N/A" WITH "0"
to get the singlevalue trendline option, please check -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | timechart count
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count | timechart count
This returns the sparkline but shows N/A if no search results are found
please check this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count
or, maybe -
sourcetype=ivrdata IVR_Message="Platform" IVR_Value="2" | stats count as Count
tested and this works fine -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2