Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get my transaction search to return "0" instead of "no results found" if no events are found?

smhsplunk
Communicator
‎10-13-2016 10:59 AM

I am trying to use the transaction command to get duration between two events
In case there are no such events, I would like the search to return 0 instead of "no results found".
This following command isn't working:

    index=main host="xyz"   
            | transaction startswith="keyword1" endswith="keyword2" 
            | eval spent_time = duration 
            | stats sum(spent_time) as total_spent_time
                    | table total_spent_time 
                    | fillnull value=NULL
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-13-2016 11:17 AM

Try this

index=main host="xyz"   
             | transaction startswith="keyword1" endswith="keyword2" 
             | appendpipe [| stats count | where count=0 | eval duration=0]
             | eval spent_time = duration 
             | stats sum(spent_time) as total_spent_time
                     | table total_spent_time

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-13-2016 11:17 AM

Try this

index=main host="xyz"   
             | transaction startswith="keyword1" endswith="keyword2" 
             | appendpipe [| stats count | where count=0 | eval duration=0]
             | eval spent_time = duration 
             | stats sum(spent_time) as total_spent_time
                     | table total_spent_time
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-13-2016 11:33 AM

thanks, didnt know about the appendpipe command

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-13-2016 12:02 PM

Hi @smhsplunk

Glad you found a solution through the awesome @somesoni2 (number 1 ranked user on Splunk Answers btw ;D). Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with a similar requirement.

Cheers

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-13-2016 11:10 AM

Hi @smhsplunk

There have been several questions similar to this already on Answers. Here's one of the more recent ones I found by searching:
https://answers.splunk.com/answers/336907/return-0-if-search-returns-no-results-found.html

See if the answer and comments there with proper placement of the fillnull command help solve your issue.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...