Re: How to create a dummy row if no data?

nwoolley · ‎10-18-2019

If there is no data for a table I want to create a row whilst waiting for the event to appear and add the word "Running" to the table until an event appears

to the query below

index=cronhost_billing sourcetype=run_billing ": SCRIPT" (group*) | rex field=_raw max_match=0 "[A-Z]+: (?

adonio · ‎10-18-2019

try this:

   index=cronhost_billing sourcetype=run_billing ": SCRIPT" (group*) | rex field=_raw max_match=0 "[A-Z]+: (?
    |appendpipe [stats count| eval message="RUNNING"  | where count==0 |table message]

there are many answers in this portal regarding this, read here more:
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
https://answers.splunk.com/answers/660786/how-to-handle-gracefully-no-results-found.html

note, your regex broke due to special characters, next time use the 101010 button when posting code

hope it helps

nwoolley · ‎10-18-2019

To expand - What I am trying to do is do a search for Today if there are no events that means the event has not completed so I want to create a row saying "Running" in the time column if there are no events so I guess I need an If statement and a method to create a dummy row if no data

How to create a dummy row if no data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation