Splunk Search

Can you help me search to return results even if there are none available?

ryhluc01
Communicator

I have 2 source types that run every morning at 8:30am.

If 1 or more does not, I need to still see the source types as having a value of 0 instead of displaying "No results found. Try expanding the time range.".

Overall: I need all the specified source type names to be returned within the results so that I can assign a value of 0 to them.

This is what I have:

index=example sourcetype=exp1 OR sourcetype=exp2
| stats count(_time) as count by sourcetype

The above syntax will let me know how many reports ran in the last 24 hrs at the time we specified (which is what I want).

But, in the event that 1 or both or these reports fail to run, I need to still be able to see each source type within my results.

I would like to assign a 0 value to the count for the source type that didn't generate any results.

0 Karma
1 Solution

niketn
Legend

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

CryoHydra
Path Finder
index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count(_time) as total_count eval(count(sourcetype="exp1") as ex1_count eval(count(sourcetype="exp2")) as ex2_count by index

This is another tweak you can employ in your search 😉

0 Karma

niketn
Legend

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ryhluc01
Communicator

@niketnilay You're amazing. This worked perfectly. Thank you so much for your input ^_^

niketn
Legend

Glad you found this working!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

zonistj
Path Finder

Are you wanting to do this in a dashboard on inline in a search?

0 Karma

ryhluc01
Communicator

inline search

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...