I have scenario where I want variable (Loss) to be 0 if no result found of below search:
| dbxquery query="SELECT * FROM \"Cherwell\".\"dbo\".\"v_ServicelineToLogicalDevice_Splunk\"" connection="Cherwell-DB"
| rename LNCID as RecID
| join type=inner RecID
[| dbxquery query="SELECT * FROM \"Cherwell\".\"dbo\".\"v_LogicalCircuits_Splunk\"" connection="Cherwell-DB"]
| rename RecID as LNCID
| fields - Bandwidth Status
| rename LogicalObjectSiteAID as Rec_ID
| join type=inner Rec_ID
[ inputlookup objects]
| rename Device_Name as Hostname
| join type=inner Hostname
[ search index=index_zabbixnotify
| dedup IP Alarm
| search Status="PROBLEM"]
| rename ServiceLineID as RecID
| join type=left RecID
[| dbxquery query="SELECT * FROM \"Cherwell\".\"dbo\".\"v_ServiceLines_Splunk\"" connection="Cherwell-DB"]
| search Status=Active
| stats sum(Bandwidth) as Loss
I want Loss to be filled with 0 if nothing found. Search is working fine if it find some events.
You can add the following line at the end of your search:
| appendpipe [stats count | where count=0 | eval Loss=0 | fields - count]
You can add the following line at the end of your search:
| appendpipe [stats count | where count=0 | eval Loss=0 | fields - count]