Solved: "No results found" to be represented as NULL or 0

adityapavan18 · ‎09-24-2012

Hi I have a query ending

| stats count as Traffic,avg(duration) by host

It works fine if i have some logs.

If there are no logs, i get "no results found"

But is it possible to return

Traffic     avg(duration)   host
0              0            NULL

jonuwz · ‎09-25-2012

Try something like this :

| stats count as Traffic, avg(duration) as duration by host 
| appendpipe [ stats count | eval Traffic=0 | eval duration=0 | eval host="NULL" | where count==0 | fields - count ]

This adds an extra line to your output with default values, but only if the result count = 0

View solution in original post

jonuwz · ‎09-25-2012

Try something like this :

| stats count as Traffic, avg(duration) as duration by host 
| appendpipe [ stats count | eval Traffic=0 | eval duration=0 | eval host="NULL" | where count==0 | fields - count ]

This adds an extra line to your output with default values, but only if the result count = 0

karthik4455 · ‎05-22-2017

I have a scenario where one column needs to be indicated with Zero in the instance of no result. While this seems to be working, however, it's showing other fileds as NULL.

I am using the above query and I'm seeing the below result:
source Customer QuarterlyVolume
1 0

I want to see the details of source and Customer as well.

"No results found" to be represented as NULL or 0

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update