Splunk Search

Display a custom text when results=0

Richy_s
Path Finder

How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found.  Search should be run for 30days, with a span of 1day.

Output should be -

_time results

04-23-2024 "No events found"

04-23-2024 "No events found"

.

.

.

06-30-2024 23

Labels (3)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the <<FIELD>> on the right-hand side of the assignment in single quotes (since you have chosen to hide your sourcetypes, it could be that they have special characters in which the single quotes will deal with)

| timechart span=1d count as event_count by sourcetype usenull=f
| foreach A B C D E F
    [| eval <<FIELD>>=coalesce('<<FIELD>>',0)
    | eval <<FIELD>>=if('<<FIELD>>'==0,"No events found",'<<FIELD>>')]

View solution in original post

Richy_s
Path Finder

That worked!! One last thing, how do I display only specific sourcetype out of (A B C D E) for where the events for all the days=0. reword this statement

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the count is still zero, there were no events for that sourcetype.

| stats count by sourcetype
| append
    [| makeresults format=csv data="sourcetype,count
A,0
B,0
C,0
D,0
E,0
F,0"
    | table sourcetype count]
| stats sum(count) as count by sourcetype
| where count=0
| eval count="No events found"
0 Karma

Richy_s
Path Finder

That worked, one last thing, how do I display only specific sourcetype out of (A B C D E) for where event for each day?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not sure I understand the requirement - do you want to remove the sourcetypes which have events every day? Please clarify

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you're using the timechart command, it generates zero count for periods when there is no values. Otherwise you need to use this approach https://www.duanewaddle.com/proving-a-negative/

ITWhisperer
SplunkTrust
SplunkTrust
| eval results=if(results=0,"No events Found",results)
0 Karma

Richy_s
Path Finder

@ITWhisperer Thank you for your response.  But it did not work.  I don't get any results.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your full search so we might be able to determine why you are not getting any results.

0 Karma

Richy_s
Path Finder

So I have a data source which is very low volume and is not expected to have events at all (like only if there is an unexpected event, it logs that).  I have a requirement to produce a report showing there were no unexpected events in last 90days. I tried following search query but it is not giving the results per day.

 

index=foo  | timechart span=1d count as event_count by sourcetype | append [|stats count as event_count | eval text="no events found"]

 

PS - the count you are seeing below is for the other sourceytpe that is under the same index=foo, and the sourcetype where the count is 0 is displayed at the bottom ( sourcetype name is not displayed as there are no events for that sourcetype).

I want my output to be specific to this sourcetype and display count = 0 for all the days where the data is not present.

Richy_s_0-1719849569962.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you know all the sourcetypes you are interested in (A, B, C, D, E, F in my example), you could do something like this

| timechart span=1d count as event_count by sourcetype usenull=f
| foreach A B C D E F
    [| eval <<FIELD>>=coalesce(<<FIELD>>,0)
    | eval <<FIELD>>=if(<<FIELD>>==0,"No events found",<<FIELD>>)]
0 Karma

Richy_s
Path Finder

Thank you @ITWhisperer.  This seems to be working however it is not displaying the "No events found" where there are 0 or blank events. Attached snapshot below.  Also, can you please explain the query.

Richy_s_0-1720010416938.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the <<FIELD>> on the right-hand side of the assignment in single quotes (since you have chosen to hide your sourcetypes, it could be that they have special characters in which the single quotes will deal with)

| timechart span=1d count as event_count by sourcetype usenull=f
| foreach A B C D E F
    [| eval <<FIELD>>=coalesce('<<FIELD>>',0)
    | eval <<FIELD>>=if('<<FIELD>>'==0,"No events found",'<<FIELD>>')]
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...