Splunk Search

Append causing dashboard panels to use colours for max ranges

benhooper
Communicator

In my dashboard, I have "Alerts Open" timechart single value panels with colour ranges that are using the following searches:

 

 

index="<client>" case_id | dedup 1 case_id sortby -_time | search (status=new OR status=under_investigation) | timechart sum(alert_count) as alert_count_total | addcoltotals

 

 

This works fine in all aspects when there are actually alerts open.

However, I found that when no alerts are open then it simply displays "No results found" but I wanted it to stay on 0. I tried using  "if(isnull" and "fillnull" neither of which worked but I found that using the following search resolves this:

 

 

index="<client>" case_id | dedup 1 case_id sortby -_time | search (status=new OR status=under_investigation) | timechart sum(alert_count) as alert_count_total | append [| stats count as alert_count] | addcoltotals

 

 

However, a side of that is that the panels are now using the colours for the max ranges, even though the value is 0 and the max ranges are, for example, "from 100 to max". This can be seen below.

2020-08-10 15-08-01 - Search__Splunk_8.0.5_-_Google_Chrome.png

For some reason, it seems that it's the timechart that's causing this because removing it uses the correct colours. This can be seen below.

2020-08-10 15-11-19 - Search__Splunk_8.0.5_-_Google_Chrome.png

 

Labels (1)
Tags (3)
0 Karma
1 Solution

benhooper
Communicator

I found:

  1. That it was actually the lack of events that was causing this.
  2. https://community.splunk.com/t5/Archive/Evaluate-if-there-are-no-search-results-or-events-for-a-fiel... which recommended using makeresults so I replaced "append [| stats count as alert_count]" with "append [| makeresults | eval alert_count_total = 0]" which resolved the problem.

View solution in original post

0 Karma

benhooper
Communicator

I found:

  1. That it was actually the lack of events that was causing this.
  2. https://community.splunk.com/t5/Archive/Evaluate-if-there-are-no-search-results-or-events-for-a-fiel... which recommended using makeresults so I replaced "append [| stats count as alert_count]" with "append [| makeresults | eval alert_count_total = 0]" which resolved the problem.
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...