Splunk Search

Timecharts and how to avoid "no results found inspect"

subtrakt
Contributor

I'm trying to avoid "no results found. inspect" message when my query returns 0 value. I just want an empty chart to keep my dashboard uniform. I've checked online for a solution but everything but i've tried doesn't work.

Here is where I'm at but it is still showing the "no results found. inspect"

MESSAGE=* | append [|eval MESSAGE="Test" | eval MESSAGE=0 | where count==0] | stats c(MESSAGE) | timechart count by MESSAGE

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

your base search | your timechart commnad | appendpipe [stats count | eval NoResult=""  | where count=0 | fields - count]

View solution in original post

sansay
Contributor

I think I found a better way.

index=nav_app_oauth (exception="com.datastax.driver.core.exceptions.ReadTimeoutException:" OR "Error creating pool" OR "setting keyspace") | eval errorCreatingPool=case(searchmatch("Error creating pool"),1) | eval errorCreatingKeySpace=case(searchmatch("setting keyspace"),1) | eval errorReadTimeout=case(searchmatch("ReadTimeoutException"),1) | append [search earliest=-1s index=os | eval errorCreatingPool=0 | eval errorCreatingKeySpace=0 | eval errorReadTimeout=0 | fields errorCreatingPool errorCreatingKeySpace errorReadTimeout]
| timechart span=5m sum(error*) as "Error* count"

Essentially you add YourFieldName=0 to the results by running a subsearch over an index which must have data, such as os. This way, the timechart always has something to represent.

Here are the graphs illustrating what happens:
without data found:
alt text

with data found:
alt text

somesoni2
Revered Legend

Try this

your base search | your timechart commnad | appendpipe [stats count | eval NoResult=""  | where count=0 | fields - count]

View solution in original post

benlc
Path Finder

I like your answer and it works great.
I would add eval _time = now(), without in some Dashboardpanels you get Errors like undefinied NAn and so on because the _time is emtpy.
e.g. your base search | your timechart commnad | appendpipe [stats count | eval NoResult="", _time=now() | where count=0 | fields - count]

0 Karma

tread_splunk
Splunk Employee
Splunk Employee

Improvement...

| makeresults 1 
| timechart count span=1h 
| eval count=0 
| append 
    [ search YourSearchHere 
    | timechart count span=1h] 
| timechart sum(count) as count span=1h
0 Karma

moisesroth
Path Finder

Another way to avoid no result on timechart is to search a big range and limit result is using “sort -_time | head n”. Example:
index="*" | timechart count(dst) as Destinations span=10m | sort -_time | head 6
If you need to get the timechart of the past hour, we can search the hole day (or another time that we know that is at least one event), and them limit using head.
In this case the "head 6" is the same of 60 minutes, because our span is 10 minutes.

0 Karma

sansay
Contributor

Careful with index=*. In my experience, 24 hours should be the maximum. And even with 1 hour time range, if you have large amount of indexed data, as in my company, your search will retrieve more than 10 billions events. This method will take a long time to complete and be way too expensive in Splunk resources.

0 Karma

moisesroth
Path Finder

I know index=* is waste of processing. Was just an example. My suggestion is most useful If you have regular events and don't care to wait some more seconds on your query.

0 Karma

somesoni2
Revered Legend

Also, it would give false results if the data in not available for the selected time range. (If I requested the data for 8:00AM to 9:00AM, I don't want to see data for 6:00AM to 7:00AM).

0 Karma

moisesroth
Path Finder

You won't get false results because head will limit only the lastest events (even if there no results on desired range). You want 8 to 9? So search 1 to 9, or past 24h and use head to take only the last events based on your span.

0 Karma

subtrakt
Contributor

This suggestion is great - however, when drilling down I've been struggling with "PARSER: Applying intentions failed Drilldown error: unable to drill down from append

Here's the current CISCO query i'm using...

...| eval Time=_time | convert ctime(Time) | rex "(?i)^([^:]:){8}(?.)$" | eval HOSTMESSAGE=host+CISCO_MESSAGE | timechart span=2m count by HOSTMESSAGE limit=12 | appendpipe [stats count | eval NoResult="" | where count=0 | fields - count]

0 Karma

somesoni2
Revered Legend

It could be due to the fact that you're drilling down on extracted/calculated field (HOSTMESSAGE). Since you're using custom field for drill-down, I believe you should use your own drill-down search. Something like this

<table>
<search>
....
<drilldown>
<link>
<![CDATA[search?q=<<PutYourURLEncoded Query here>>
e.g. search?q=search%20index%3Dyourindexname%20sourcetype%3Dyoursourcetype
]]>
</link>
</drilldown>
</table>
0 Karma

HiroshiSatoh
Champion

Is the question.

・It requires a search statement.
append [|eval MESSAGE="Test" | eval MESSAGE=0・・・
->[search XXXX|eval MESSA

・The result is all MESSAGE = 0.
eval MESSAGE="Test" | eval MESSAGE=0
->eval MESSAGE=0

・The output will be one record.
stats c(MESSAGE)
(ex.)
c(MESSAGE)
-----------
123

・It can not be a timechart because there is no "_time".
| timechart count by MESSAGE

0 Karma