Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display 0 when there is No Records Found or Nothing returned

splunkbeginner
Engager
‎04-17-2020 07:13 PM

the search (thanks for who provided this) is:

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]

If there is no matched event to return for "total" and "filter", I get "Not Results Found". If there is no matched event return for "total" or "filter", I get nothing on the timechart for "total" or "filter"

I would instead like a 0 displayed. Any idea will be much appreciated.

Tags (1)
0 Karma
Reply

harishalipaka
Motivator
‎04-19-2020 11:38 PM

@splunkbeginner

try like this 

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
| stats count as total by sourcetype
 | appendpipe [ stats count as total
 | where total=0
 | eval total=0,filter=0]
Thanks
Harish
0 Karma
Reply

splunkbeginner
Engager
‎04-20-2020 06:18 PM

@harishalipaka

thanks but it somehow doesn't work for me.

nevertheless i tried a query from another splunk answer and its working fine.
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 10:23 PM 
....
| appendpipe [| stats count as total
| where total=0
| eval total=0]
0 Karma
Reply

splunkbeginner
Engager
‎04-19-2020 06:11 PM

@to4kawa

thanks but still I get nothing on the timechart for "total" or "filter" when there is no matched event return for "total" or "filter",

0 Karma
Reply

to4kawa
Ultra Champion
‎04-19-2020 07:08 PM 
index=_internal "nothing counts"
| stats count as total by sourcetype
| appendpipe [ stats count as total
| where total=0
| eval total=0]
0 Karma
Reply

splunkbeginner
Engager
‎04-19-2020 08:41 PM

@to4kawa

thanks again. maybe i don't know how to fit your suggestion to my search... but thanks anyway.

nevertheless i tried a query from another splunk answer and its working fine.
| appendpipe [ stats count | eval "NoResults"="0" | where count=0 |table "NoResults"]

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 07:47 PM

https://answers.splunk.com/answers/733553/how-do-i-append-a-specific-field-with-specific-val.html

0 Karma
Reply

splunkbeginner
Engager
‎04-17-2020 09:49 PM

@to4kawa

Thanks for the link. Any idea how i can tune the appendage to yield correct events? Thanks

| tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t
| timechart span=1d count as total
| appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls)
| timechart span=1d count as filter]
| appendpipe
[| timechart count
| where count=0
| eval ???,count=0
| appendpipe
[| eval ???,count=0]]

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...