Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help for displaying a message in case of any r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use the search below which works fine
I just have an issue when there is no results
In this case, I would like to display : "0 hosts Online / X machines" (I also need that the count of X machines which corresponds to NbIndHost works)
Actually, when there is no results it returns me "Any results"
So there is an issue in the EVAL in the last line but I dont understand where
Could you help me please?
[| inputlookup host.csv
| table host] index="X" sourcetype="winhostmon" Type=Service Name=SplunkForwarder
| stats latest(_time) as _time by host
| eval DiffInSeconds = (now() - _time)
| eval DiffInMinutes=DiffInSeconds/60
| eval Status=if(DiffInSeconds<3601, "Online", "Offline")
| eval EventCreatedTime=strftime(_time,"%d-%b-%Y %H:%M:%S %p %Z" )
| table host EventCreatedTime DiffInMinutes Status
| sort +EventCreatedTime
| dedup host
| eval Code = if(like(Status,"Online"), "Online", "Offline")
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| stats dc(host) AS OfflineCount by Code
| appendcols
[| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| stats count as NbIndHost]
| where Code = "Offline"
| fields OfflineCount NbIndHost
| eval OfflineCount = if(OfflineCount> 0, tostring(OfflineCount) + " host Offline","no host offline") + " / " + NbIndHost + " machines "
| fields - NbIndHost
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is with the combination of | stats dc(host) AS OfflineCount by Code and | where Code = "Offline". If there are no 'offline' events, that will cause the stats command to not return any rows with Code="Offline", so after the where, you have 0 results. It will not magically add a row with Code=Offline and offlineCount=0.
So one way to solve that, is to add that row yourself, by adding the following code after the line with the stats command:
| append [| makeresults | eval Code="Offline", OfflineCount=0 | fields Code, OfflineCount]
| dedup Code
The append will add the default 'count=0' row at the bottom, the dedup will remove that row if there already was a row with an actual count for that code.
It would also be safer to move the appendcols to after the | where Code = "Offline". Since your appendcols only returns 1 row and if you have multiple rows before the | where Code = "Offline", only the first line gets the additional column filled in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is with the combination of | stats dc(host) AS OfflineCount by Code and | where Code = "Offline". If there are no 'offline' events, that will cause the stats command to not return any rows with Code="Offline", so after the where, you have 0 results. It will not magically add a row with Code=Offline and offlineCount=0.
So one way to solve that, is to add that row yourself, by adding the following code after the line with the stats command:
| append [| makeresults | eval Code="Offline", OfflineCount=0 | fields Code, OfflineCount]
| dedup Code
The append will add the default 'count=0' row at the bottom, the dedup will remove that row if there already was a row with an actual count for that code.
It would also be safer to move the appendcols to after the | where Code = "Offline". Since your appendcols only returns 1 row and if you have multiple rows before the | where Code = "Offline", only the first line gets the additional column filled in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31
You can set/unset and display a custom message on the basis of resultCount.
If resultCount is ZERO then
set show_msg token and unset 'show_table` token
else
vise-versa
I have found one blog on that.
Below are a few links with a different approach to try.
https://answers.splunk.com/answers/78124/no-results-found-i-want-to-show-other-message.html
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for this information
BUT
Considering I need to display NbIndHost value even if OfflineCount=0 I am almost sure that there is the possibility to display something like this :
"0 hosts Online / 35 machines"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31
Then Can you please try to update your appendcol search make it like below.
| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE
| stats count(eval(sourcetype="$tok_filtersite|s$")) as NbIndHost
Here you have to use appropriate by clause in search.
Execute my sample search:
index="_internal" sourcetype="*" | stats count(eval(sourcetype="splunkd")) as count by sourcetype
Thanks
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
