Splunk Search

Table message when No results found.

Explorer

How to print a custom message in a table when No results found, when no logs?

example search:

index=test | eval msg="No logs!" | table msg

No results found.

but I want table

    msg
| No logs! |
Tags (3)
1 Solution

Splunk Employee
Splunk Employee

This occurs because the search index=test returns no events, which gives eval no objects to decorate with the "msg" field.

Since what you seem to want here is a no-op search, I suggest the following search string, which appears to yield the desired results :

| stats count | eval msg="No logs!" | table msg

The | stats count essentially acts as a no-op but yields one result that eval can then decorate with the "msg" field.

View solution in original post

Communicator

Here is a different approach to doing this. With the query below if it does return results the will be displayed but if the query returns "No results found" then it will display whatever message you have in the eval statement and you can name the column header to whatever you would like as well. Just rename error to something else and change the table to at the end to match that.

index=test |appendpipe [stats count| eval error="Your message here"  | where count==0 |table error]

Basicly just put the |appendpipe [stats ... after any query and it will display your message if there is no results to display.

Explorer

Thank you for the appendpipe. I made the following changes as per my requirement. It is working fine now.
Now Success returns 0, Failure returns 1, No results found returns 9.

| eval final = if(status_="exist", 0, 1) 
| table final
| appendpipe [stats count| eval final=9 | where count==0 |table final]
| outputlookup output.csv
0 Karma

Motivator

| stats count | eval msg = if(count == 0, "No Msg!","Msgs Exist!") | table msg

Building from the mighty hexx's answer, I put in an if statement to only show "No Msg!" if there were indeed no events. eval msg="No logs!" would display the no log message even when it does return.

Communicator

If you wanted to show results of the instead of "Msgs Exist!" you could do:

| stats count | eval msg = if(count == 0, "No Msg!",count) | table msg

Sorry to rez an old post but I am searching for a solution on this as well...

Builder

Of note, this works with a simple "stats count". It does not work if you split your stats over a field (i.e. stats count by host).

Also, if using this for a no-volume alert, you can use null as the second argument. Then your alert would be a "if results count > 0".

| stats count | eval status=if(count == 0,"No Volume",null) | table status
0 Karma

Explorer

I am trying to include logic ,so that it can handle No results found.

When No events found,the following returns 9.
When Events Exist the final field loses its scope after stats.
| eval final = if(count=0,9,final):- Here the final field becomes inaccessible.

| eval final = if(status_="exist", 0, 1) 
| stats count
| eval final = if(count=0,9,final)
| table final

To make final field accessible after stats, i used | stats count by final .
This created additional problem, when the events are present, | stats count by final fails.

| eval final = if(status_="exist", 0, 1) 
| stats count by final
| eval final = if(count=0,9,final)
| table final
0 Karma

Communicator

@biec1 Take a look at my answer I just posted and see if that solves your problem.

0 Karma

Path Finder

I also have the same question as stephento

0 Karma

Path Finder

Just looking at the code, you only get a message stating whether data was found or not. Is there a way to show data when data exists, but the message "No Msg!" if there isn't? Sorry to rez an old post.

Splunk Employee
Splunk Employee

This occurs because the search index=test returns no events, which gives eval no objects to decorate with the "msg" field.

Since what you seem to want here is a no-op search, I suggest the following search string, which appears to yield the desired results :

| stats count | eval msg="No logs!" | table msg

The | stats count essentially acts as a no-op but yields one result that eval can then decorate with the "msg" field.

View solution in original post

SplunkTrust
SplunkTrust

You are a genius, thank you !