Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk display 0 when no results found from last x minutes

sahil237888
Path Finder
‎08-06-2019 02:35 AM

Hi Team,

Need help in creating a query.
I want to display 0 when no data/events found. But I am getting "No results found. Try expanding the time range."
either by using "fillnull value =0" or "eval Data=if(isnull(Data),0,Data)". but no result.

I am using query as :

sourcetype=systems earliest=-15m
| timechart span=1m count as Data
| eval Data=if(isnull(Data),0,Data)

OR

sourcetype=systems earliest=-15m
| timechart span=1m count as Data
| fillnull value=0 Data

Tags (1)
0 Karma
Reply

niketn
Legend
‎08-06-2019 03:57 AM

@sahil237888 try one of my older answers you can use $job.resultCount$ inside search event handler for above query and if the count is 0 unset the token to show a different panel with 0 count using rejects otherwise display the time chart. The answer in discussion also talks about showing empty timechart for 0 result count if required.

https://answers.splunk.com/answers/595248/timechart-with-no-data-gives-no-results-found.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sahil237888
Path Finder
‎08-06-2019 04:23 AM

Hi @niketnilay,

Actually the thing is I am creating an alert so $job.resultcount$ can work only with dashboards but not with query.
Any suggestion on that.

0 Karma
Reply

niketn
Legend
‎08-06-2019 08:12 AM

That is the second option I mentioned which is explained in the message of my answer above.
Have you tried adding the following appendpipe to your existing search?

sourcetype=systems earliest=-15m
| timechart span=1m count as Data 
| fillnull value=0 Data
| appendpipe 
    [| makeresults 
    | bin _time span=1m] 
| dedup _time
| fillnull value=0 Data

Following is a run anywhere example based on the answer posted in the above answer:

index=_internal sourcetype=splunkd log_level=ERROR 
| timechart span=1m count as Data
| appendpipe 
    [| makeresults 
     | bin _time span=1m] 
| dedup _time
| fillnull value=0 Data
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...