Solved: Re: How do I append a specific field with specific...

williamcharlton · ‎03-13-2019

I've read about the many ways to have a dashboard panel show something other than "No results found", but none of them meet my goal. If the search on my panel yields no events, what I want to do is to construct the same output that would typically appear, the only difference being that the count attribute of each field value will be 0.

Details: The final piece of my search is .... AND (Type = "Critical" OR Type = "Error") | stats count by Type. So, if events are returned, and there is at least one each Critical and Error, then I'll see one field (Type) with two values (Critical and Error). The count attribute for each value is some positive, non-zero value, e.g., if there are 5 Critical and 6 Error, then:

Type       count
Critical   5
Error      6

So, how do I use, e.g., append or appendpipe to produce field Type with value Critical, count=0 and value Error, count = 0?

Type       count
Critical   0
Error      0

vnravikumar · ‎03-13-2019

Hi @williamcharlton0028

Try like

yourquery| stats count by Type 
| appendpipe 
 [| stats count 
 | where count=0 
 | eval Type="Critical",count=0 
 | appendpipe 
     [| eval Type="Error",count=0]]

View solution in original post

vnravikumar · ‎03-13-2019

Hi @williamcharlton0028

Try like

yourquery| stats count by Type 
| appendpipe 
 [| stats count 
 | where count=0 
 | eval Type="Critical",count=0 
 | appendpipe 
     [| eval Type="Error",count=0]]

williamcharlton · ‎03-13-2019

@vnravikumar works well except that it appends unconditionally, i.e., in my dashboard panel, when results are returned, I have two Critical values (>0 and 0) and two Error values (>0 and 0). Should append only when query returns no results. I see the | where count==0 but its apparently not working

vnravikumar · ‎03-13-2019

Try this

| appendpipe 
    [| stats count 
    | where count=0 
    | eval Type="Critical",count=0 
    | appendpipe 
        [| eval Type="Error",count=0]]

williamcharlton · ‎03-13-2019

@vnravikumar That did it. So, you changed it so that | eval Type="Critical",count=0 | appendpipe [| eval Type="Error",count=0] is performed only when count == 0. I see - thank -you

vnravikumar · ‎03-13-2019

if resolved, please accept.

williamcharlton · ‎03-13-2019

@ vnravikumar: accepted. Please update your original answer for future viewers?

vnravikumar · ‎03-13-2019

thanks. I had updated

renjith_nair · ‎03-13-2019

@williamcharlton0028,

Try adding this to your search

| append 
    [| stats count 
    | eval Type ="Critical,Error"
    | makemv Type delim=","
    | mvexpand Type ]
| stats max(count) as count by Type

---
What goes around comes around. If it helps, hit it with Karma 🙂

somesoni2 · ‎03-13-2019

Give this a try

.... AND (Type = "Critical" OR Type = "Error") | stats count by Type
| appendpipe [| stats count | where count=0 | eval Type="Critical Error" | makemv Type | mvexpand Type]

How do I append a specific field with specific values an counts to "no results" search results?

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices

Are you a member of the Splunk Community?

How do I append a specific field with specific values an counts to "no results" search results?

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices