Solved: If there are no results found, how do I get my sea...

smcdonald20 · ‎10-24-2016

I have the following search:

index=ad source=otl_adgroupmemberscan memberSamAccountName=jbloggs
|dedup memberSamAccountName, groupSamAccountName
|table groupSamAccountName, memberSamAccountName

If there are no results, I want it to show a field that have a value of zero.

If there are results though, it's important the search still returns all of the values of groupSamAccountName and memberSamAccountName

cmerriman · ‎10-24-2016

index=ad source=otl_adgroupmemberscan memberSamAccountName=jbloggs
|dedup memberSamAccountName, groupSamAccountName
|table groupSamAccountName, memberSamAccountName
| appendpipe [ stats count | eval "NoResults"="0"  | where count=0 |table "NoResults"]

you could name the "NoResults" field to groupSamAccountName or memberSamAccountName and it would replace that field value if there are no results.

View solution in original post

cmerriman · ‎10-24-2016

index=ad source=otl_adgroupmemberscan memberSamAccountName=jbloggs
|dedup memberSamAccountName, groupSamAccountName
|table groupSamAccountName, memberSamAccountName
| appendpipe [ stats count | eval "NoResults"="0"  | where count=0 |table "NoResults"]

you could name the "NoResults" field to groupSamAccountName or memberSamAccountName and it would replace that field value if there are no results.

smcdonald20 · ‎10-24-2016

Thank you! this worked exactly how I wanted it to.

If there are no results found, how do I get my search to return a field that has the value of zero?

What’s New in Splunk Cloud Platform 9.1.2308?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk