Splunk Search

How to get table column headers to display even if no results are found?

bullbo
Engager

I have a search that displays new accounts created over the past 30 days and another that displays accounts deleted over the past 30 days.

I would like to have the column (field) names display even if no results are returned as well as the “No results found” message. Is it possible or am I asking too much?

0 Karma
1 Solution

to4kawa
Ultra Champion
index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 |eval EventCodeDescription="No Results Found"]
| table _time, user, src_user, EventCodeDescription
| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"
| convert ctime(Date)

View solution in original post

to4kawa
Ultra Champion
index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 |eval EventCodeDescription="No Results Found"]
| table _time, user, src_user, EventCodeDescription
| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"
| convert ctime(Date)

bullbo
Engager

Perfect, thanks!

0 Karma

woodcock
Esteemed Legend

Assuming that your existing search ends in something like | table _time foo bat, just insert an appendpipe like like this:

| makeresults
| eval foo="bar", bat="baz"

| where true()=false()

| appendpipe [stats count | where count==0 | foreach _time foo bat [eval <>="No Results Found"]]
| table _time foo bat

bullbo
Engager

Thanks, but doesn't seem to work or I'm doing something wrong (quite possible), here's my query with the appendpipe added. Feel free to let me know what I am probably doing wrong.

index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 | foreach _time, user, src_user, EventCodeDescription
[eval <>="No Results Found"]]

| table _time, user, src_user, EventCodeDescription

| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"

| convert ctime(Date)

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...