- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me search to return results even ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 source types that run every morning at 8:30am.
If 1 or more does not, I need to still see the source types as having a value of 0 instead of displaying "No results found. Try expanding the time range.".
Overall: I need all the specified source type names to be returned within the results so that I can assign a value of 0 to them.
This is what I have:
index=example sourcetype=exp1 OR sourcetype=exp2
| stats count(_time) as count by sourcetype
The above syntax will let me know how many reports ran in the last 24 hrs at the time we specified (which is what I want).
But, in the event that 1 or both or these reports fail to run, I need to still be able to see each source type within my results.
I would like to assign a 0 value to the count for the source type that didn't generate any results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ryhluc01 try the following search:
index=example sourcetype=exp1 OR sourcetype=exp2
| stats count by sourcetype
| append
[| makeresults
| fields - _time
| eval sourcetype="exp1,exp2"
| makemv sourcetype delim=","
| mvexpand sourcetype
| eval count=0]
| dedup sourcetype
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=example sourcetype=exp1 OR sourcetype=exp2
| stats count(_time) as total_count eval(count(sourcetype="exp1") as ex1_count eval(count(sourcetype="exp2")) as ex2_count by index
This is another tweak you can employ in your search 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ryhluc01 try the following search:
index=example sourcetype=exp1 OR sourcetype=exp2
| stats count by sourcetype
| append
[| makeresults
| fields - _time
| eval sourcetype="exp1,exp2"
| makemv sourcetype delim=","
| mvexpand sourcetype
| eval count=0]
| dedup sourcetype
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay You're amazing. This worked perfectly. Thank you so much for your input ^_^
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad you found this working!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you wanting to do this in a dashboard on inline in a search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inline search
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
