I have a dashboard panel where it is possibility we get no results in the indexer from the backend as it only sends results in case of "down" but not in situation when asset status is healthy. I m trying to append pipe results for the fields so that when results are not there , a table with values 0 ,0 can be generated and added in the panel to be tabulated . Below is my panel
Status Warning Critical Overall Health
Region 2 3 Critical
Service 2 3 Critical
In the case warning and critical are 0 , i need to show healthy and for that i need to append pipe 0 values to Region service when there is no data coming from backend .Please help with the append pipe query on how that can be incorporated
Here's a simple search example that will show you how you can use append+stats to add data where there is no data
| makeresults
| eval _raw="Status,Warning,Critical,OverallHealth
Region,2,3,Critical
Service,2,3,Critical"
| multikv forceheader=1
| table Status Warning Critical OverallHealth
| eval Warning=random() % 3, Critical=random() % 3
| where Warning>0 OR Critical>0
| append [
| makeresults
| fields - _time
| eval Status=split("Region,Service", ","), Warning=0, Critical=0
| mvexpand Status
]
| stats max(Warning) as Warning max(Critical) as Critical values(OverallHealth) as OverallHealth by Status
| addtotals Warning Critical
| eval OverallHealth=if(Total=0, "Healthy", OverallHealth)
| fields - Total
The first part up to the append creates a region and service row where both critical and warning are >0
Then the append adds a 0 value row for the region/service and the final stats joins the potential values.
addtotals then allows the overall health to be set as healthy if both values are 0 - could be done with just an if statement checking warning+critical
This will depend on your actual search, but hopefully gives you an idea on how to proceed.
Thank you so much, this really helps, i l build it up further to make my query.
Here's a simple search example that will show you how you can use append+stats to add data where there is no data
| makeresults
| eval _raw="Status,Warning,Critical,OverallHealth
Region,2,3,Critical
Service,2,3,Critical"
| multikv forceheader=1
| table Status Warning Critical OverallHealth
| eval Warning=random() % 3, Critical=random() % 3
| where Warning>0 OR Critical>0
| append [
| makeresults
| fields - _time
| eval Status=split("Region,Service", ","), Warning=0, Critical=0
| mvexpand Status
]
| stats max(Warning) as Warning max(Critical) as Critical values(OverallHealth) as OverallHealth by Status
| addtotals Warning Critical
| eval OverallHealth=if(Total=0, "Healthy", OverallHealth)
| fields - Total
The first part up to the append creates a region and service row where both critical and warning are >0
Then the append adds a 0 value row for the region/service and the final stats joins the potential values.
addtotals then allows the overall health to be set as healthy if both values are 0 - could be done with just an if statement checking warning+critical
This will depend on your actual search, but hopefully gives you an idea on how to proceed.