Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Singlevalue display 0 instead of N/A

ipops
Path Finder
‎09-01-2016 05:06 AM

I have a simple search

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count

This value is displayed as a SingleValue on a dashboard. Problem is when the search returns no results, the Singlevalue Displays N/A.
How can i make it display 0 if no search results are returned?

I tried | fillnull 0 but made no difference

Tags (1)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-11-2016 04:43 AM

Hi ipops, tested and this works fine.. thanks to Sundaresh Sir.
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

sundareshr
Legend
‎09-02-2016 05:05 AM

Try this

index=_internal | timechart span=1h count | append [|makeresults | eval count=0 | table _time count] | head 2

*OR*

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2
0 Karma
Reply

ipops
Path Finder
‎09-01-2016 05:38 AM

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count

That worked. Issue now is my singlevalue trendline option disappeared

0 Karma
Reply

dbcase
Motivator
‎09-01-2016 05:46 AM

Thats because there is not time reference. Try adding by _time to the end.

0 Karma
Reply

ipops
Path Finder
‎09-01-2016 08:33 AM

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time

This restores the sparkline value but shows N/A if no search results are found. I need to display 0 if the search returns nothing

0 Karma
Reply

dbcase
Motivator
‎09-01-2016 08:35 AM

Did you try this?

https://answers.splunk.com/answers/442777/how-to-get-a-single-value-visualization-to-display.html

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-01-2016 08:49 AM

from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| eval isEvent=if(searchmatch("source"),1,0)
| stats count as myCount sum(isEvent) AS isEvent
| eval result=if(isEvent>0, isEvent, myCount)
| table result

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-01-2016 09:14 AM

from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats count as myCount
| eval result=if(myCount == 0, 0, myCount)
| stats result by _time

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

ipops
Path Finder
‎09-01-2016 09:24 AM

That search fails

Error in 'stats' command: The argument 'result' is invalid.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-01-2016 09:33 AM

ok, lets try this -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-02-2016 03:47 AM

Hi, may i know if this search works fine -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

ipops
Path Finder
‎09-02-2016 04:22 AM

sorry no, All of the searches provided work fine if there is a search result. If nothing is returned the singlevalue is blank instead of displaying 0

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-02-2016 04:42 AM

lets check this -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time | replace "N/A" WITH "0" IN Count
or
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time | replace "N/A" WITH "0"

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-01-2016 05:45 AM

to get the singlevalue trendline option, please check -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | timechart count

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

ipops
Path Finder
‎09-01-2016 08:32 AM

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count | timechart count

This returns the sparkline but shows N/A if no search results are found

0 Karma
Reply

dbcase
Motivator
‎09-01-2016 05:34 AM

This one worked for me

https://answers.splunk.com/answers/442777/how-to-get-a-single-value-visualization-to-display.html

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-01-2016 05:32 AM

please check this one - 

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count

or, maybe - 

sourcetype=ivrdata IVR_Message="Platform" IVR_Value="2" | stats count as Count

tested and this works fine - 

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...