Splunk Search
Highlighted

Timechart with no data gives "No results found"

SplunkTrust
SplunkTrust

I want to show the number of bad errors each minute over an hour time period to show as an embedded report.

I am using:

   index=foo "Bad error" | timechart span=1m count as "Bad Error"

I am hitting the usual problem where if there were no bad errors in one hour the result is just "No results found" rather than a blank linechart.

I've spent time looking at the fillnull suggestions etc but can't find anything that works for me. Ideas?

Highlighted

Re: Timechart with no data gives "No results found"

Legend

@burwell, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper example. Basically Splunk gives your two attributes i.e. depends and rejects, which can be attached to any visualization element like row, panel or chart etc and depending on whether the required token is set or unset they can show or hide the same.

In your case you can use the <progress> or <done> search event handler to access one of default job token i.e. $job.resultCount$ which will be 0 in case of no results found.

<done>
    <condition match=" 'job.resultCount' == 0">
        <set token="show_html">true</set>
    </condition>
    <condition>
        <unset token="show_html"/>
    </condition>
<done>

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done

Then use the token $show_token$ with depends attribute to show timechart only when results exist. You can also add an HTML panel with rejects attribute with the same token to show your custom error message in case no no results are found and $show_tokens$ is not set.

<chart rejects="$show_html$">
   ...
</chart>
<html depends="$show_token$">
     <div style="font-weight:bold;font-size:150%;text-align:center;color:red">
          No results found for selected timerange. Please relax the search filters or increase the time range.
     </div>
</html>

Try the following run anywhere dashboard:

<form>
  <label>Show hide using depends and rejects on no results found</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart rejects="$show_html$">
        <search>
          <query>index=_internal sourcetype=splunkd log_level="ERROR"
          | timechart count</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <progress>
            <condition match="$job.resultCount$ == 0">
              <set token="show_html">true</set>
            </condition>
            <condition>
              <unset token="show_html"/>
            </condition>
          </progress>         
        </search>
      </chart>
      <html depends="$show_html$">
         <div style="font-weight:bold;font-size:150%;text-align:center;color:red">
              No results found for selected timerange. Please relax the search filters or increase the time range.
         </div>
      </html>
    </panel>
  </row>
</form>



| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: Timechart with no data gives "No results found"

SplunkTrust
SplunkTrust

Thanks for the detailed answer. Unfortunately, I need to embed the report in an iframe. As I understand it, I can't embed a dashboard.

0 Karma
Highlighted

Re: Timechart with no data gives "No results found"

Legend

@burwell, there is a crooked way of embedding a dashboard to your webpage, but it opens up clickjacking attack. Refer to my answer: https://answers.splunk.com/answers/582632/how-do-you-use-custom-xml-in-reports-from-dashboar.html#an...

However, if you want to stick to Report you can try a search like the following:

index=_internal sourcetype=splunkd log_level=ERROR
| timechart count
| appendpipe 
    [| makeresults
    |  eval count=0]
    |  dedup _time

It appends a dummy row for current time with count 0. If timechart with any record exist current _time will have either 0 or positive count. Hence dedup _time will reject appended dummy row.
If timechart returns no results it will keep the dummy row for current time with count=0 hence it will show blank timechart instead of no results found.

For you sample query you can try the following:

 index=foo "Bad error" 
| timechart span=1m count as "Bad Error"
| appendpipe 
    [| makeresults
    |  eval "Bad Error"=0]
    |  dedup _time

Please see if one of these options works for you and confirm.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Timechart with no data gives "No results found"

SplunkTrust
SplunkTrust

Hi. Yes I did not want to open up clickjacking. Your solution above works perfectly! We see an empty timechart when there are no errors instead of the "No results" error. Perfect. Thanks.

0 Karma
Highlighted

Re: Timechart with no data gives "No results found"

Legend

Yay! Glad one of the options worked 🙂




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Timechart with no data gives "No results found"

SplunkTrust
SplunkTrust

Slow clap. This is awesome @niketnilay

Highlighted

Re: Timechart with no data gives "No results found"

Legend

@skoelpin, thanks it means a lot 🙂




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Timechart with no data gives "No results found"

Esteemed Legend

Try this:

index=foo "Bad Error"
| appendpipe [|makeresults]
| timechart span=1m count(searchmatch("Bad error")) AS "Bad Error"
0 Karma
Highlighted

Re: Timechart with no data gives "No results found"

SplunkTrust
SplunkTrust

Hi Woodcock. So my "Bad Error" code was really status="500" and so I couldn't get this method to work. I wasn't sure what to put in the searchmatch..

0 Karma