Splunk Enterprise

help to display 0 in single panel if no results

jip31
Motivator

hello

I need to display 0 in a single panel if there is no results

I tried the 2 solutions below but it doesnt works

how to do this please?

 

| stats avg(Response) 
| eval Response=if(Response="0","0",Response)
| stats avg(Response) 
| eval Response=if(Response="","0",Response)

 

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

If you don't have any responses in your timerange you simply won't get any results, which is different than a result with a null value. So you can't "fix" the result because there isn't any.

There's a little trick which you can do though that will produce a result. Just do another stat that will always show. Like

<<your search>>
| stats avg(Response) as ar count(Response) as cr
| eval ar=if(cr=0,0,ar)
| fields - cr

This way you'll always get a count value even if it's just a zero.

Then you can either do a conditional on returned number (as shown above) or - alternatively - do a conditional on avg being null.

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you don't have any responses in your timerange you simply won't get any results, which is different than a result with a null value. So you can't "fix" the result because there isn't any.

There's a little trick which you can do though that will produce a result. Just do another stat that will always show. Like

<<your search>>
| stats avg(Response) as ar count(Response) as cr
| eval ar=if(cr=0,0,ar)
| fields - cr

This way you'll always get a count value even if it's just a zero.

Then you can either do a conditional on returned number (as shown above) or - alternatively - do a conditional on avg being null.

0 Karma

jip31
Motivator

thanks

0 Karma

ashvinpandey
Contributor

@PickleRick i think there is a correction in your eval:

| eval ar=if(cr=1,0,ar)

Also, If this reply helps you, an upvote would be appreciated.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. If count equals 0, it means that there were no entries to be counted, so there is no avg calculated and we have to replace the null value with something reasonable.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...