Splunk Search

How do I append a specific field with specific values an counts to "no results" search results?

williamcharlton
Path Finder

I've read about the many ways to have a dashboard panel show something other than "No results found", but none of them meet my goal. If the search on my panel yields no events, what I want to do is to construct the same output that would typically appear, the only difference being that the count attribute of each field value will be 0.

Details: The final piece of my search is .... AND (Type = "Critical" OR Type = "Error") | stats count by Type. So, if events are returned, and there is at least one each Critical and Error, then I'll see one field (Type) with two values (Critical and Error). The count attribute for each value is some positive, non-zero value, e.g., if there are 5 Critical and 6 Error, then:

Type       count
Critical   5
Error      6

So, how do I use, e.g., append or appendpipe to produce field Type with value Critical, count=0 and value Error, count = 0?

Type       count
Critical   0
Error      0
0 Karma
1 Solution

vnravikumar
Champion

Hi @williamcharlton0028

Try like

yourquery| stats count by Type 
| appendpipe 
 [| stats count 
 | where count=0 
 | eval Type="Critical",count=0 
 | appendpipe 
     [| eval Type="Error",count=0]]

View solution in original post

vnravikumar
Champion

Hi @williamcharlton0028

Try like

yourquery| stats count by Type 
| appendpipe 
 [| stats count 
 | where count=0 
 | eval Type="Critical",count=0 
 | appendpipe 
     [| eval Type="Error",count=0]]

williamcharlton
Path Finder

@vnravikumar works well except that it appends unconditionally, i.e., in my dashboard panel, when results are returned, I have two Critical values (>0 and 0) and two Error values (>0 and 0). Should append only when query returns no results. I see the | where count==0 but its apparently not working

0 Karma

vnravikumar
Champion

Try this

| appendpipe 
    [| stats count 
    | where count=0 
    | eval Type="Critical",count=0 
    | appendpipe 
        [| eval Type="Error",count=0]]
0 Karma

williamcharlton
Path Finder

@vnravikumar That did it. So, you changed it so that | eval Type="Critical",count=0 | appendpipe [| eval Type="Error",count=0] is performed only when count == 0. I see - thank -you

0 Karma

vnravikumar
Champion

if resolved, please accept.

0 Karma

williamcharlton
Path Finder

@ vnravikumar: accepted. Please update your original answer for future viewers?

0 Karma

vnravikumar
Champion

thanks. I had updated

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@williamcharlton0028,

Try adding this to your search

| append 
    [| stats count 
    | eval Type ="Critical,Error"
    | makemv Type delim=","
    | mvexpand Type ]
| stats max(count) as count by Type 
Happy Splunking!
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

.... AND (Type = "Critical" OR Type = "Error") | stats count by Type
| appendpipe [| stats count | where count=0 | eval Type="Critical Error" | makemv Type | mvexpand Type]
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...