Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to force the display of a value when the search is empty?

Rajaion
Path Finder
‎08-29-2022 03:32 AM

Hello community,

I have a problem with a search that does not return a result. For the purposes of a dashboard, I need one of my searches, when it does not return a result, to display 0.
I have already succeeded in this modification in some somewhat complex searches but for a fairly simple search, I cannot do it. Here is the example in question:

Rajaion_0-1661769046030.png

Note that when I have a result, it is displayed well, my search runs correctly.

I attempted to use the command "| eval ACKED = if(isnull(ACKED) OR len(ACKED)==0, "0", ACKED)" but search doesn't seem to read it:

Rajaion_1-1661769123946.png

 

I found several topics on similar subjects (with the use of fillnull for example) but without result :

Rajaion_2-1661769157029.png

 

I think it's not complicated but I can't put my finger on what's the problem, do you have any idea?

Best regards,

Rajaion

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-29-2022 03:38 AM

Hi @Rajaion,

after the last stats and the final table commands, add the following rows:

| append [| makeresults | eval ACKED=0 | fields ACKED]
| stats sum(ACKED) AS ACKED

I asked to Splunk Ideas to add this feature to panels and it is in evaluation for a future prospect, if you think that it's a good idea, vote for it at https://ideas.splunk.com/ideas/EID-I-572 .

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-29-2022 03:38 AM

Hi @Rajaion,

after the last stats and the final table commands, add the following rows:

| append [| makeresults | eval ACKED=0 | fields ACKED]
| stats sum(ACKED) AS ACKED

I asked to Splunk Ideas to add this feature to panels and it is in evaluation for a future prospect, if you think that it's a good idea, vote for it at https://ideas.splunk.com/ideas/EID-I-572 .

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Rajaion
Path Finder
‎08-29-2022 07:56 AM

Hi @gcusello ,

This is exactly what I was looking for, I hadn't thought of this function (which I will dig into to better understand how it works).

Thank you very much for your help, my dashboards are perfect now!

I voted for your idea, indeed, a simple button for this kind of thing should exist.

Best regards,

Rajaion

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...