Splunk Search

How to get my transaction search to return "0" instead of "no results found" if no events are found?

Communicator

I am trying to use the transaction command to get duration between two events
In case there are no such events, I would like the search to return 0 instead of "no results found".
This following command isn't working:

    index=main host="xyz"   
            | transaction startswith="keyword1" endswith="keyword2" 
            | eval spent_time = duration 
            | stats sum(spent_time) as total_spent_time
                    | table total_spent_time 
                    | fillnull value=NULL
0 Karma
1 Solution

Revered Legend

Try this

index=main host="xyz"   
             | transaction startswith="keyword1" endswith="keyword2" 
             | appendpipe [| stats count | where count=0 | eval duration=0]
             | eval spent_time = duration 
             | stats sum(spent_time) as total_spent_time
                     | table total_spent_time 

View solution in original post

Revered Legend

Try this

index=main host="xyz"   
             | transaction startswith="keyword1" endswith="keyword2" 
             | appendpipe [| stats count | where count=0 | eval duration=0]
             | eval spent_time = duration 
             | stats sum(spent_time) as total_spent_time
                     | table total_spent_time 

View solution in original post

Communicator

thanks, didnt know about the appendpipe command

0 Karma

Community Manager
Community Manager

Hi @smhsplunk

Glad you found a solution through the awesome @somesoni2 (number 1 ranked user on Splunk Answers btw ;D). Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with a similar requirement.

Cheers

0 Karma

Community Manager
Community Manager

Hi @smhsplunk

There have been several questions similar to this already on Answers. Here's one of the more recent ones I found by searching:
https://answers.splunk.com/answers/336907/return-0-if-search-returns-no-results-found.html

See if the answer and comments there with proper placement of the fillnull command help solve your issue.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!