- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to display 0 when there is No Records Found or...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display 0 when there is No Records Found or Nothing returned
the search (thanks for who provided this) is:
| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
If there is no matched event to return for "total" and "filter", I get "Not Results Found". If there is no matched event return for "total" or "filter", I get nothing on the timechart for "total" or "filter"
I would instead like a 0 displayed. Any idea will be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunkbeginner
try like this
| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
| stats count as total by sourcetype
| appendpipe [ stats count as total
| where total=0
| eval total=0,filter=0]
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
thanks but it somehow doesn't work for me.
nevertheless i tried a query from another splunk answer and its working fine.
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
....
| appendpipe [| stats count as total
| where total=0
| eval total=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa
thanks but still I get nothing on the timechart for "total" or "filter" when there is no matched event return for "total" or "filter",
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal "nothing counts"
| stats count as total by sourcetype
| appendpipe [ stats count as total
| where total=0
| eval total=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa
thanks again. maybe i don't know how to fit your suggestion to my search... but thanks anyway.
nevertheless i tried a query from another splunk answer and its working fine.
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the link. Any idea how i can tune the appendage to yield correct events? Thanks
| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
| appendpipe
[| timechart count
| where count=0
| eval ???,count=0
| appendpipe
[| eval ???,count=0]]
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
