Solved: How to display fields in a table panel even if the...

jip31 · ‎10-18-2019

hello

In a panel table, I need to display every sourcetype results even if the sourcetype result = 0
I have done an if condition but it doenst works
could you help me please?

`windows` sourcetype="Win" OR sourcetype=report OR sourcetype=abdm OR sourcetype=app OR sourcetype="flags" OR sourcetype="up" 
| stats dc(host) as "Number of hosts" by sourcetype 
| sort -"Number of hosts"

kamlesh_vaghela · ‎10-18-2019

@jip31

Can you please try this?

 `windows` sourcetype="Win" OR sourcetype=report OR sourcetype=abdm OR sourcetype=app OR sourcetype="flags" OR sourcetype="up" 
| stats dc(host) as count by sourcetype 
| sort -"Number of hosts" | append [| makeresults 
| eval sourcetype="Win||report||abdm||app||flags||up",sourcetype=split(sourcetype,"||"), count=0
| mvexpand sourcetype 
| table sourcetype count ]  | stats sum(count) as "Number of hosts" by sourcetype

View solution in original post

kamlesh_vaghela · ‎10-18-2019

@jip31

Can you please try this?

 `windows` sourcetype="Win" OR sourcetype=report OR sourcetype=abdm OR sourcetype=app OR sourcetype="flags" OR sourcetype="up" 
| stats dc(host) as count by sourcetype 
| sort -"Number of hosts" | append [| makeresults 
| eval sourcetype="Win||report||abdm||app||flags||up",sourcetype=split(sourcetype,"||"), count=0
| mvexpand sourcetype 
| table sourcetype count ]  | stats sum(count) as "Number of hosts" by sourcetype

jip31 · ‎10-18-2019

many thanks!!

How to display fields in a table panel even if the result field = 0?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!