Splunk Search

Can you help me search to return results even if there are none available?

ryhluc01
Communicator

I have 2 source types that run every morning at 8:30am.

If 1 or more does not, I need to still see the source types as having a value of 0 instead of displaying "No results found. Try expanding the time range.".

Overall: I need all the specified source type names to be returned within the results so that I can assign a value of 0 to them.

This is what I have:

index=example sourcetype=exp1 OR sourcetype=exp2
| stats count(_time) as count by sourcetype

The above syntax will let me know how many reports ran in the last 24 hrs at the time we specified (which is what I want).

But, in the event that 1 or both or these reports fail to run, I need to still be able to see each source type within my results.

I would like to assign a 0 value to the count for the source type that didn't generate any results.

0 Karma
1 Solution

niketnilay
Legend

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

CryoHydra
Path Finder
index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count(_time) as total_count eval(count(sourcetype="exp1") as ex1_count eval(count(sourcetype="exp2")) as ex2_count by index

This is another tweak you can employ in your search 😉

0 Karma

niketnilay
Legend

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

ryhluc01
Communicator

@niketnilay You're amazing. This worked perfectly. Thank you so much for your input ^_^

niketnilay
Legend

Glad you found this working!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

zonistj
Path Finder

Are you wanting to do this in a dashboard on inline in a search?

0 Karma

ryhluc01
Communicator

inline search

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.