Solved: Re: Return a custom table with empty results when ...

matansocher · ‎10-15-2017

Hi,
I have the following search, and sometimes it doesn't get any results.
When there are no values to return, I want to return a table with the fields: _time | sloc_type | upload_id
to show the user that there are no results.

My search:

index=testeda_p groupID=sloc_data 
    | search project=Periph core=pcie core_ver=1.4 sloc_type="verif" 
    | dedup _time 
    | sort -_time 
    | head 1 
    | table _time sloc_type upload_id

Thanks

gcusello · ‎10-15-2017

Hi matansocher,
try something like this

index=testeda_p groupID=sloc_data project=Periph core=pcie core_ver=1.4 sloc_type="verif" 
| dedup _time 
| sort -_time 
| append [ | stats count | eval sloc_type="No logs!", upload_id=""| table _time sloc_type upload_id ]  
| head 1 
| table _time sloc_type upload_id

Bye.
Giuseppe

View solution in original post

gcusello · ‎10-15-2017

Hi matansocher,
try something like this

index=testeda_p groupID=sloc_data project=Periph core=pcie core_ver=1.4 sloc_type="verif" 
| dedup _time 
| sort -_time 
| append [ | stats count | eval sloc_type="No logs!", upload_id=""| table _time sloc_type upload_id ]  
| head 1 
| table _time sloc_type upload_id

Bye.
Giuseppe

Return a custom table with empty results when no results on base search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?