Stats command not showing field column when data i...

madhuragujarath · ‎08-11-2019

Hi. I am running below search. Sometimes error does not happen but in that case, stats command shows no data.
Can I show column still with some default value when the error is not happening? I want to show no data as 'NOERRORHere' ?

index=*tech* index=digital_technical_api_gw_hac_raw " New Message Response notification related "   | join type=outer host [|inputlookup  gw_list]  | stats values(apiName) AS API ,values(host) AS host count(eval(statusCode>400)) AS HttpResponseMoreThan400, count(eval(statusCode<400)) AS HttpResponseLessThan400  tp_set , source   | join type=outer max=0 [ search  index=*tech* index=digital_technical_api_gw_hac_raw ("com.ncipher.nfast.connect.StatusNotOK" OR "An Exception was caught while trying to decrypt the data")  | join type=outer host [|inputlookup  gw_list] | stats count as HSMErrorCountsOnGivenStripe by tp_set , source ]

willemjongeneel · ‎08-12-2019

Hello,

Maybe you can try to add something like this?

| eval output=case(HSMErrorCountsOnGivenStripe=0, "No Errors Here", HSMErrorCountsOnGivenStripe>0, HSMErrorCountsOnGivenStripe)
| table output

Kind Regards,
Willem

Stats command not showing field column when data is not there

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Stats command not showing field column when data is not there

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...