Splunk Search

How to get table column headers to display even if no results are found?

Engager

I have a search that displays new accounts created over the past 30 days and another that displays accounts deleted over the past 30 days.

I would like to have the column (field) names display even if no results are returned as well as the “No results found” message. Is it possible or am I asking too much?

0 Karma
1 Solution

Ultra Champion
index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 |eval EventCodeDescription="No Results Found"]
| table _time, user, src_user, EventCodeDescription
| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"
| convert ctime(Date)

View solution in original post

Ultra Champion
index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 |eval EventCodeDescription="No Results Found"]
| table _time, user, src_user, EventCodeDescription
| rename _time as Date, src_user as "Disabled by", user as "User Account", EventCodeDescription as "Event"
| convert ctime(Date)

View solution in original post

Engager

Perfect, thanks!

0 Karma

Esteemed Legend

Assuming that your existing search ends in something like | table _time foo bat, just insert an appendpipe like like this:

| makeresults
| eval foo="bar", bat="baz"

| where true()=false()

| appendpipe [stats count | where count==0 | foreach _time foo bat [eval <>="No Results Found"]]
| table _time foo bat

Engager

Thanks, but doesn't seem to work or I'm doing something wrong (quite possible), here's my query with the appendpipe added. Feel free to let me know what I am probably doing wrong.

index=wineventlog source=wineventlog:security EventCode=4725 OR EventCode=629
| appendpipe [stats count | where count==0 | foreach time, user, srcuser, EventCodeDescription
[eval <>="No Results Found"]]

| table time, user, srcuser, EventCodeDescription

| rename time as Date, srcuser as "Disabled by", user as "User Account", EventCodeDescription as "Event"

| convert ctime(Date)

0 Karma