Splunk Search

How to get my transaction search to return "0" instead of "no results found" if no events are found?

smhsplunk
Communicator

I am trying to use the transaction command to get duration between two events
In case there are no such events, I would like the search to return 0 instead of "no results found".
This following command isn't working:

    index=main host="xyz"   
            | transaction startswith="keyword1" endswith="keyword2" 
            | eval spent_time = duration 
            | stats sum(spent_time) as total_spent_time
                    | table total_spent_time 
                    | fillnull value=NULL
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

index=main host="xyz"   
             | transaction startswith="keyword1" endswith="keyword2" 
             | appendpipe [| stats count | where count=0 | eval duration=0]
             | eval spent_time = duration 
             | stats sum(spent_time) as total_spent_time
                     | table total_spent_time 

View solution in original post

somesoni2
Revered Legend

Try this

index=main host="xyz"   
             | transaction startswith="keyword1" endswith="keyword2" 
             | appendpipe [| stats count | where count=0 | eval duration=0]
             | eval spent_time = duration 
             | stats sum(spent_time) as total_spent_time
                     | table total_spent_time 

smhsplunk
Communicator

thanks, didnt know about the appendpipe command

0 Karma

ppablo
Retired

Hi @smhsplunk

Glad you found a solution through the awesome @somesoni2 (number 1 ranked user on Splunk Answers btw ;D). Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with a similar requirement.

Cheers

0 Karma

ppablo
Retired

Hi @smhsplunk

There have been several questions similar to this already on Answers. Here's one of the more recent ones I found by searching:
https://answers.splunk.com/answers/336907/return-0-if-search-returns-no-results-found.html

See if the answer and comments there with proper placement of the fillnull command help solve your issue.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...