- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Table message when No results found.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This occurs because the search index=test returns no events, which gives eval no objects to decorate with the "msg" field.
Since what you seem to want here is a no-op search, I suggest the following search string, which appears to yield the desired results :
| stats count | eval msg="No logs!" | table msg
The | stats count essentially acts as a no-op but yields one result that eval can then decorate with the "msg" field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a different approach to doing this. With the query below if it does return results the will be displayed but if the query returns "No results found" then it will display whatever message you have in the eval statement and you can name the column header to whatever you would like as well. Just rename error to something else and change the table to at the end to match that.
index=test |appendpipe [stats count| eval error="Your message here" | where count==0 |table error]
Basicly just put the |appendpipe [stats ... after any query and it will display your message if there is no results to display.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the appendpipe. I made the following changes as per my requirement. It is working fine now.
Now Success returns 0, Failure returns 1, No results found returns 9.
| eval final = if(status_="exist", 0, 1)
| table final
| appendpipe [stats count| eval final=9 | where count==0 |table final]
| outputlookup output.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats count | eval msg = if(count == 0, "No Msg!","Msgs Exist!") | table msg
Building from the mighty hexx's answer, I put in an if statement to only show "No Msg!" if there were indeed no events. eval msg="No logs!" would display the no log message even when it does return.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you wanted to show results of the instead of "Msgs Exist!" you could do:
| stats count | eval msg = if(count == 0, "No Msg!",count) | table msg
Sorry to rez an old post but I am searching for a solution on this as well...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of note, this works with a simple "stats count". It does not work if you split your stats over a field (i.e. stats count by host).
Also, if using this for a no-volume alert, you can use null as the second argument. Then your alert would be a "if results count > 0".
| stats count | eval status=if(count == 0,"No Volume",null) | table status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to include logic ,so that it can handle No results found.
When No events found,the following returns 9.
When Events Exist the final field loses its scope after stats.
| eval final = if(count=0,9,final):- Here the final field becomes inaccessible.
| eval final = if(status_="exist", 0, 1)
| stats count
| eval final = if(count=0,9,final)
| table final
To make final field accessible after stats, i used | stats count by final .
This created additional problem, when the events are present, | stats count by final fails.
| eval final = if(status_="exist", 0, 1)
| stats count by final
| eval final = if(count=0,9,final)
| table final
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@biec1 Take a look at my answer I just posted and see if that solves your problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also have the same question as stephento
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just looking at the code, you only get a message stating whether data was found or not. Is there a way to show data when data exists, but the message "No Msg!" if there isn't? Sorry to rez an old post.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This occurs because the search index=test returns no events, which gives eval no objects to decorate with the "msg" field.
Since what you seem to want here is a no-op search, I suggest the following search string, which appears to yield the desired results :
| stats count | eval msg="No logs!" | table msg
The | stats count essentially acts as a no-op but yields one result that eval can then decorate with the "msg" field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are a genius, thank you !
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
