Splunk Enterprise

How to display customized text in table?

mahesh27
Communicator

Hi All,
My query:
index=abt_htt_app host=thyfg OR host=jhbjj OR host=nmm sourcetype=app:abt:logs |stats count as Transactions |where Transaction>10
|appendcols
[ index=tbt_htt_app host=juhy OR host=kuthf OR host=nmm sourcetype=app:abt:logs |stats count as Sucess |where Sucess>5]
|appendcols
[ index=ccc_htt_app sourcetype=app:abt:even |stats count as failed |where falied>10]
|appendcols
[ index=tbt_htt_app host=juhy OR host=kuthf OR host=nmm sourcetype=app:clt:logs |stats count as error |where error>45]

Output:

Transactions Sucess failed error
12 5 4 10


but when the count condition does not met all the fileds wont get dsiplayed and when i get only transactions count in table
Here i want to add a customized text like "No action required" under the table as shown below:
how can i do this??
Output:

Transactions
12

"No action required"

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can always add

| fillnull Transactions Sucess failed error

to the end of your search which will always make those fields 0 if they do not exist - but only if at least ONE of them exists, but what do you want to fill those values with.

You could also do this, which would very likely be faster

(index=abt_htt_app host=thyfg OR host=jhbjj OR host=nmm sourcetype=app:abt:logs) OR 
(index=tbt_htt_app host=juhy OR host=kuthf OR host=nmm sourcetype=app:abt:logs) OR 
(index=ccc_htt_app sourcetype=app:abt:even) OR
(tbt_htt_app host=juhy OR host=kuthf OR host=nmm sourcetype=app:clt:logs)
| stats count(eval(index="abt_htt_app")) as Transaction count(eval(index="tbt_htt_app")) as Sucess count(eval(index="ccc_htt_app")) as failed count(eval(index="host")) as error
| eval Transaction=if(Transaction>10, Transaction, 0)
| eval Sucess=if(Sucess>5, Sucess, 0)
| eval failed=if(failed>10, failed, 0)
| eval error=if(error>45, error, 0)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...