Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display a custom text when results=0

Richy_s
Path Finder
‎07-01-2024 04:19 AM

How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found.  Search should be run for 30days, with a span of 1day.

Output should be -

_time results

04-23-2024 "No events found"

04-23-2024 "No events found"

.

.

.

06-30-2024 23

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2024 10:23 AM

Try putting the <<FIELD>> on the right-hand side of the assignment in single quotes (since you have chosen to hide your sourcetypes, it could be that they have special characters in which the single quotes will deal with)

| timechart span=1d count as event_count by sourcetype usenull=f
| foreach A B C D E F
    [| eval <<FIELD>>=coalesce('<<FIELD>>',0)
    | eval <<FIELD>>=if('<<FIELD>>'==0,"No events found",'<<FIELD>>')]

View solution in original post

Reply
Solved! Jump to solution

Richy_s
Path Finder
‎07-04-2024 09:16 AM

That worked!! One last thing, how do I display only specific sourcetype out of (A B C D E) for where the events for all the days=0. reword this statement

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2024 09:51 AM

There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the count is still zero, there were no events for that sourcetype.

| stats count by sourcetype
| append
    [| makeresults format=csv data="sourcetype,count
A,0
B,0
C,0
D,0
E,0
F,0"
    | table sourcetype count]
| stats sum(count) as count by sourcetype
| where count=0
| eval count="No events found"
0 Karma
Reply
Solved! Jump to solution

Richy_s
Path Finder
‎07-04-2024 03:38 AM

That worked, one last thing, how do I display only specific sourcetype out of (A B C D E) for where event for each day?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2024 03:43 AM

Not sure I understand the requirement - do you want to remove the sourcetypes which have events every day? Please clarify

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-01-2024 06:00 AM

If you're using the timechart command, it generates zero count for periods when there is no values. Otherwise you need to use this approach https://www.duanewaddle.com/proving-a-negative/

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2024 04:25 AM 
| eval results=if(results=0,"No events Found",results)
0 Karma
Reply
Solved! Jump to solution

Richy_s
Path Finder
‎07-01-2024 05:59 AM

@ITWhisperer Thank you for your response.  But it did not work.  I don't get any results.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2024 06:03 AM

Please share your full search so we might be able to determine why you are not getting any results.

0 Karma
Reply
Solved! Jump to solution

Richy_s
Path Finder
‎07-01-2024 09:01 AM

So I have a data source which is very low volume and is not expected to have events at all (like only if there is an unexpected event, it logs that).  I have a requirement to produce a report showing there were no unexpected events in last 90days. I tried following search query but it is not giving the results per day.

 

index=foo  | timechart span=1d count as event_count by sourcetype | append [|stats count as event_count | eval text="no events found"]

 

PS - the count you are seeing below is for the other sourceytpe that is under the same index=foo, and the sourcetype where the count is 0 is displayed at the bottom ( sourcetype name is not displayed as there are no events for that sourcetype).

I want my output to be specific to this sourcetype and display count = 0 for all the days where the data is not present.

Richy_s_0-1719849569962.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2024 09:39 AM

If you know all the sourcetypes you are interested in (A, B, C, D, E, F in my example), you could do something like this

| timechart span=1d count as event_count by sourcetype usenull=f
| foreach A B C D E F
    [| eval <<FIELD>>=coalesce(<<FIELD>>,0)
    | eval <<FIELD>>=if(<<FIELD>>==0,"No events found",<<FIELD>>)]
0 Karma
Reply
Solved! Jump to solution

Richy_s
Path Finder
‎07-03-2024 05:41 AM

Thank you @ITWhisperer.  This seems to be working however it is not displaying the "No events found" where there are 0 or blank events. Attached snapshot below.  Also, can you please explain the query.

Richy_s_0-1720010416938.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2024 10:23 AM

Try putting the <<FIELD>> on the right-hand side of the assignment in single quotes (since you have chosen to hide your sourcetypes, it could be that they have special characters in which the single quotes will deal with)

| timechart span=1d count as event_count by sourcetype usenull=f
| foreach A B C D E F
    [| eval <<FIELD>>=coalesce('<<FIELD>>',0)
    | eval <<FIELD>>=if('<<FIELD>>'==0,"No events found",'<<FIELD>>')]
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...