- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timechart with no data gives "No results found...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to show the number of bad errors each minute over an hour time period to show as an embedded report.
I am using:
index=foo "Bad error" | timechart span=1m count as "Bad Error"
I am hitting the usual problem where if there were no bad errors in one hour the result is just "No results found" rather than a blank linechart.
I've spent time looking at the fillnull suggestions etc but can't find anything that works for me. Ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@burwell, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper example. Basically Splunk gives your two attributes i.e. depends and rejects, which can be attached to any visualization element like row, panel or chart etc and depending on whether the required token is set or unset they can show or hide the same.
In your case you can use the <progress> or <done> search event handler to access one of default job token i.e. $job.resultCount$ which will be 0 in case of no results found.
<done>
<condition match=" 'job.resultCount' == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
<done>
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done
Then use the token $show_token$ with depends attribute to show timechart only when results exist. You can also add an HTML panel with rejects attribute with the same token to show your custom error message in case no no results are found and $show_tokens$ is not set.
<chart rejects="$show_html$">
...
</chart>
<html depends="$show_token$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
Try the following run anywhere dashboard:
<form>
<label>Show hide using depends and rejects on no results found</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Select Time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart rejects="$show_html$">
<search>
<query>index=_internal sourcetype=splunkd log_level="ERROR"
| timechart count</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<condition match="$job.resultCount$ == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
</progress>
</search>
</chart>
<html depends="$show_html$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked well for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dbarnesroomstogo, I am glad you found the answer useful. Do up vote the comment/s that helped 🙂
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=foo "Bad Error"
| appendpipe [|makeresults]
| timechart span=1m count(searchmatch("Bad error")) AS "Bad Error"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcock. So my "Bad Error" code was really status="500" and so I couldn't get this method to work. I wasn't sure what to put in the searchmatch..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=foo status="500"
| appendpipe [|makeresults]
| timechart span=1m count(eval(status="500")) AS "Bad Error"
It should be much simpler.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Woodcock. This one does work and is about the same amount of time as the answer @niketnilay gave which I already accepted. I really appreciate the solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@burwell, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper example. Basically Splunk gives your two attributes i.e. depends and rejects, which can be attached to any visualization element like row, panel or chart etc and depending on whether the required token is set or unset they can show or hide the same.
In your case you can use the <progress> or <done> search event handler to access one of default job token i.e. $job.resultCount$ which will be 0 in case of no results found.
<done>
<condition match=" 'job.resultCount' == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
<done>
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done
Then use the token $show_token$ with depends attribute to show timechart only when results exist. You can also add an HTML panel with rejects attribute with the same token to show your custom error message in case no no results are found and $show_tokens$ is not set.
<chart rejects="$show_html$">
...
</chart>
<html depends="$show_token$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
Try the following run anywhere dashboard:
<form>
<label>Show hide using depends and rejects on no results found</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Select Time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart rejects="$show_html$">
<search>
<query>index=_internal sourcetype=splunkd log_level="ERROR"
| timechart count</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<condition match="$job.resultCount$ == 0">
<set token="show_html">true</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
</progress>
</search>
</chart>
<html depends="$show_html$">
<div style="font-weight:bold;font-size:150%;text-align:center;color:red">
No results found for selected timerange. Please relax the search filters or increase the time range.
</div>
</html>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slow clap. This is awesome @niketnilay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@skoelpin, thanks it means a lot 🙂
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the detailed answer. Unfortunately, I need to embed the report in an iframe. As I understand it, I can't embed a dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@burwell, there is a crooked way of embedding a dashboard to your webpage, but it opens up clickjacking attack. Refer to my answer: https://answers.splunk.com/answers/582632/how-do-you-use-custom-xml-in-reports-from-dashboar.html#an...
However, if you want to stick to Report you can try a search like the following:
index=_internal sourcetype=splunkd log_level=ERROR
| timechart count
| appendpipe
[| makeresults
| eval count=0]
| dedup _time
It appends a dummy row for current time with count 0. If timechart with any record exist current _time will have either 0 or positive count. Hence dedup _time will reject appended dummy row.
If timechart returns no results it will keep the dummy row for current time with count=0 hence it will show blank timechart instead of no results found.
For you sample query you can try the following:
index=foo "Bad error"
| timechart span=1m count as "Bad Error"
| appendpipe
[| makeresults
| eval "Bad Error"=0]
| dedup _time
Please see if one of these options works for you and confirm.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Yes I did not want to open up clickjacking. Your solution above works perfectly! We see an empty timechart when there are no errors instead of the "No results" error. Perfect. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yay! Glad one of the options worked 🙂
| makeresults | eval message= "Happy Splunking!!!"
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
