Splunk Search

Need to generate 0 results in case of no data available

Learnersplunk21
Engager

I have a dashboard panel where it is possibility we get no results in the indexer from the backend as it only sends results in case of "down" but not in situation when asset status is healthy. I m trying to append pipe results for the fields so that when results are not there , a table with values 0 ,0 can be generated and added in the panel to be tabulated . Below is my panel

 

Status            Warning        Critical    Overall Health

Region                  2                    3               Critical

Service                 2                  3                 Critical

 

 

In the case warning and critical are 0 , i need to show healthy and for that i need to append pipe 0 values to Region service when there is no data coming from backend .Please help with the append pipe query on how that can be incorporated

 

Labels (3)
0 Karma
1 Solution

bowesmana
Champion

Here's a simple search example that will show you how you can use append+stats to add data where there is no data

| makeresults
| eval _raw="Status,Warning,Critical,OverallHealth
Region,2,3,Critical
Service,2,3,Critical"
| multikv forceheader=1
| table Status Warning Critical OverallHealth
| eval Warning=random() % 3, Critical=random() % 3
| where Warning>0 OR Critical>0
| append [
  | makeresults
  | fields - _time
  | eval Status=split("Region,Service", ","), Warning=0, Critical=0
  | mvexpand Status
]
| stats max(Warning) as Warning max(Critical) as Critical values(OverallHealth) as OverallHealth by Status
| addtotals Warning Critical
| eval OverallHealth=if(Total=0, "Healthy", OverallHealth)
| fields - Total

The first part up to the append creates a region and service row where both critical and warning are >0

Then the append adds a 0 value row for the region/service and the final stats joins the potential values.

addtotals then allows the overall health to be set as healthy if both values are 0 - could be done with just an if statement checking warning+critical

This will depend on your actual search, but hopefully gives you an idea on how to proceed.

 

View solution in original post

Learnersplunk21
Engager

Thank you so much, this really helps, i l build it up further to make my query.

0 Karma

bowesmana
Champion

Here's a simple search example that will show you how you can use append+stats to add data where there is no data

| makeresults
| eval _raw="Status,Warning,Critical,OverallHealth
Region,2,3,Critical
Service,2,3,Critical"
| multikv forceheader=1
| table Status Warning Critical OverallHealth
| eval Warning=random() % 3, Critical=random() % 3
| where Warning>0 OR Critical>0
| append [
  | makeresults
  | fields - _time
  | eval Status=split("Region,Service", ","), Warning=0, Critical=0
  | mvexpand Status
]
| stats max(Warning) as Warning max(Critical) as Critical values(OverallHealth) as OverallHealth by Status
| addtotals Warning Critical
| eval OverallHealth=if(Total=0, "Healthy", OverallHealth)
| fields - Total

The first part up to the append creates a region and service row where both critical and warning are >0

Then the append adds a 0 value row for the region/service and the final stats joins the potential values.

addtotals then allows the overall health to be set as healthy if both values are 0 - could be done with just an if statement checking warning+critical

This will depend on your actual search, but hopefully gives you an idea on how to proceed.

 

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.