Solved: Need to generate 0 results in case of no data avai...

Learnersplunk21 · ‎06-15-2021

I have a dashboard panel where it is possibility we get no results in the indexer from the backend as it only sends results in case of "down" but not in situation when asset status is healthy. I m trying to append pipe results for the fields so that when results are not there , a table with values 0 ,0 can be generated and added in the panel to be tabulated . Below is my panel

Status Warning Critical Overall Health

Region 2 3 Critical

Service 2 3 Critical

In the case warning and critical are 0 , i need to show healthy and for that i need to append pipe 0 values to Region service when there is no data coming from backend .Please help with the append pipe query on how that can be incorporated

bowesmana · ‎06-15-2021

Here's a simple search example that will show you how you can use append+stats to add data where there is no data

| makeresults
| eval _raw="Status,Warning,Critical,OverallHealth
Region,2,3,Critical
Service,2,3,Critical"
| multikv forceheader=1
| table Status Warning Critical OverallHealth
| eval Warning=random() % 3, Critical=random() % 3
| where Warning>0 OR Critical>0
| append [
  | makeresults
  | fields - _time
  | eval Status=split("Region,Service", ","), Warning=0, Critical=0
  | mvexpand Status
]
| stats max(Warning) as Warning max(Critical) as Critical values(OverallHealth) as OverallHealth by Status
| addtotals Warning Critical
| eval OverallHealth=if(Total=0, "Healthy", OverallHealth)
| fields - Total

The first part up to the append creates a region and service row where both critical and warning are >0

Then the append adds a 0 value row for the region/service and the final stats joins the potential values.

addtotals then allows the overall health to be set as healthy if both values are 0 - could be done with just an if statement checking warning+critical

This will depend on your actual search, but hopefully gives you an idea on how to proceed.

View solution in original post

Learnersplunk21 · ‎06-16-2021

Thank you so much, this really helps, i l build it up further to make my query.

bowesmana · ‎06-15-2021

Here's a simple search example that will show you how you can use append+stats to add data where there is no data

| makeresults
| eval _raw="Status,Warning,Critical,OverallHealth
Region,2,3,Critical
Service,2,3,Critical"
| multikv forceheader=1
| table Status Warning Critical OverallHealth
| eval Warning=random() % 3, Critical=random() % 3
| where Warning>0 OR Critical>0
| append [
  | makeresults
  | fields - _time
  | eval Status=split("Region,Service", ","), Warning=0, Critical=0
  | mvexpand Status
]
| stats max(Warning) as Warning max(Critical) as Critical values(OverallHealth) as OverallHealth by Status
| addtotals Warning Critical
| eval OverallHealth=if(Total=0, "Healthy", OverallHealth)
| fields - Total

The first part up to the append creates a region and service row where both critical and warning are >0

Then the append adds a 0 value row for the region/service and the final stats joins the potential values.

addtotals then allows the overall health to be set as healthy if both values are 0 - could be done with just an if statement checking warning+critical

This will depend on your actual search, but hopefully gives you an idea on how to proceed.

Need to generate 0 results in case of no data available

eval

stats

table

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...