Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get table column headers to display even if no results are found?

bullbo
Engager
‎12-05-2019 02:01 PM

I have a search that displays new accounts created over the past 30 days and another that displays accounts deleted over the past 30 days.

I would like to have the column (field) names display even if no results are returned as well as the “No results found” message. Is it possible or am I asking too much?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-06-2019 05:58 AM 
index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 |eval EventCodeDescription="No Results Found"]
| table _time, user, src_user, EventCodeDescription
| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"
| convert ctime(Date)

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-06-2019 05:58 AM 
index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 |eval EventCodeDescription="No Results Found"]
| table _time, user, src_user, EventCodeDescription
| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"
| convert ctime(Date)
Reply
Solved! Jump to solution

bullbo
Engager
‎12-06-2019 06:30 AM

Perfect, thanks!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-05-2019 04:13 PM

Assuming that your existing search ends in something like | table _time foo bat, just insert an appendpipe like like this:

| makeresults
| eval foo="bar", bat="baz"

| where true()=false()

| appendpipe [stats count | where count==0 | foreach _time foo bat [eval <>="No Results Found"]]
| table _time foo bat
Reply
Solved! Jump to solution

bullbo
Engager
‎12-06-2019 05:33 AM

Thanks, but doesn't seem to work or I'm doing something wrong (quite possible), here's my query with the appendpipe added. Feel free to let me know what I am probably doing wrong.

index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 | foreach _time, user, src_user, EventCodeDescription
[eval <>="No Results Found"]]

| table _time, user, src_user, EventCodeDescription

| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"

| convert ctime(Date)

0 Karma
Reply
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...