Hi,
How can I send an empty schedule report (no events in the search)?
I need to send a schedule report (daily) from an alert but sometimes there are no results. They need to see that csv report even is empty, but the visualization won't appear if there are no results.
Did you know how can I do that? Just the table visualization with empty results/values.
The fillnull don't work for this or am I using it wrong?
Thanks!
Hi @laauespinosa,
you could add another record at the end of your report.
e.g. if you report contains the count of events for host, add something liek this:
index=your_index
| stats count BY host
| append [
| makeresults
| eval host="end of list", count="---"
| fields host count ]
in this way you'll have a report every time is executed.
Ciao.
Giuseppe