I want to show the number of bad errors each minute over an hour time period to show as an embedded report.
I am using:
index=foo "Bad error" | timechart span=1m count as "Bad Error"
I am hitting the usual problem where if there were no bad errors in one hour the result is just "No results found" rather than a blank linechart.
I've spent time looking at the fillnull suggestions etc but can't find anything that works for me. Ideas?
@burwell, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper
example. Basically Splunk gives your two attributes i.e. depends
and rejects
, which can be attached to any visualization element like row, panel or chart etc and depending on whether the required token
is set
or unset
they can show
or hide
the same.
In your case you can use the <progress>
or <done>
search event handler to access one of default job token i.e. $job.resultCount$
which will be 0 in case of no results found.
<done>
<condition match=" 'job.resultCount' == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
<done>
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done
Then use the token $show_token$
with depends
attribute to show timechart only when results exist. You can also add an HTML panel with rejects
attribute with the same token to show your custom error message in case no no results are found and $show_tokens$
is not set.
<chart rejects="$show_html$">
...
</chart>
<html depends="$show_token$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
Try the following run anywhere dashboard:
<form>
<label>Show hide using depends and rejects on no results found</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Select Time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart rejects="$show_html$">
<search>
<query>index=_internal sourcetype=splunkd log_level="ERROR"
| timechart count</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<condition match="$job.resultCount$ == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
</progress>
</search>
</chart>
<html depends="$show_html$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
</panel>
</row>
</form>
This worked well for me.
@dbarnesroomstogo, I am glad you found the answer useful. Do up vote the comment/s that helped 🙂
Try this:
index=foo "Bad Error"
| appendpipe [|makeresults]
| timechart span=1m count(searchmatch("Bad error")) AS "Bad Error"
Hi Woodcock. So my "Bad Error" code was really status="500" and so I couldn't get this method to work. I wasn't sure what to put in the searchmatch..
Try this:
index=foo status="500"
| appendpipe [|makeresults]
| timechart span=1m count(eval(status="500")) AS "Bad Error"
It should be much simpler.
Thanks Woodcock. This one does work and is about the same amount of time as the answer @niketnilay gave which I already accepted. I really appreciate the solution.
@burwell, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper
example. Basically Splunk gives your two attributes i.e. depends
and rejects
, which can be attached to any visualization element like row, panel or chart etc and depending on whether the required token
is set
or unset
they can show
or hide
the same.
In your case you can use the <progress>
or <done>
search event handler to access one of default job token i.e. $job.resultCount$
which will be 0 in case of no results found.
<done>
<condition match=" 'job.resultCount' == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
<done>
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done
Then use the token $show_token$
with depends
attribute to show timechart only when results exist. You can also add an HTML panel with rejects
attribute with the same token to show your custom error message in case no no results are found and $show_tokens$
is not set.
<chart rejects="$show_html$">
...
</chart>
<html depends="$show_token$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
Try the following run anywhere dashboard:
<form>
<label>Show hide using depends and rejects on no results found</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Select Time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart rejects="$show_html$">
<search>
<query>index=_internal sourcetype=splunkd log_level="ERROR"
| timechart count</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<condition match="$job.resultCount$ == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
</progress>
</search>
</chart>
<html depends="$show_html$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
</panel>
</row>
</form>
Slow clap. This is awesome @niketnilay
@skoelpin, thanks it means a lot 🙂
Thanks for the detailed answer. Unfortunately, I need to embed the report in an iframe. As I understand it, I can't embed a dashboard.
@burwell, there is a crooked way of embedding a dashboard to your webpage, but it opens up clickjacking attack. Refer to my answer: https://answers.splunk.com/answers/582632/how-do-you-use-custom-xml-in-reports-from-dashboar.html#an...
However, if you want to stick to Report you can try a search like the following:
index=_internal sourcetype=splunkd log_level=ERROR
| timechart count
| appendpipe
[| makeresults
| eval count=0]
| dedup _time
It appends a dummy row for current time with count 0. If timechart with any record exist current _time will have either 0 or positive count. Hence dedup _time will reject appended dummy row.
If timechart returns no results it will keep the dummy row for current time with count=0 hence it will show blank timechart instead of no results found.
For you sample query you can try the following:
index=foo "Bad error"
| timechart span=1m count as "Bad Error"
| appendpipe
[| makeresults
| eval "Bad Error"=0]
| dedup _time
Please see if one of these options works for you and confirm.
Hi. Yes I did not want to open up clickjacking. Your solution above works perfectly! We see an empty timechart when there are no errors instead of the "No results" error. Perfect. Thanks.
Yay! Glad one of the options worked 🙂