How to create a dummy row if no data?

nwoolley · ‎10-18-2019

If there is no data for a table I want to create a row whilst waiting for the event to appear and add the word "Running" to the table until an event appears

to the query below

index=cronhost_billing sourcetype=run_billing ": SCRIPT" (group*) | rex field=_raw max_match=0 "[A-Z]+: (?

adonio · ‎10-18-2019

try this:

   index=cronhost_billing sourcetype=run_billing ": SCRIPT" (group*) | rex field=_raw max_match=0 "[A-Z]+: (?
    |appendpipe [stats count| eval message="RUNNING"  | where count==0 |table message]

there are many answers in this portal regarding this, read here more:
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
https://answers.splunk.com/answers/660786/how-to-handle-gracefully-no-results-found.html

note, your regex broke due to special characters, next time use the 101010 button when posting code

hope it helps

nwoolley · ‎10-18-2019

To expand - What I am trying to do is do a search for Today if there are no events that means the event has not completed so I want to create a row saying "Running" in the time column if there are no events so I guess I need an If statement and a method to create a dummy row if no data

How to create a dummy row if no data?

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI