search : no result / single

LauraBre · ‎06-12-2012

hello,

This is my search concerned by the problem :

source="tcp:5543" Requester="uka*" hostname="L05236" earliest=@h latest=now|eval date_hour=strftime(_time, "%H") |stats count by date_hour |rangemap field=count severe=0-0 elevated=1-50 default=low  | eval range=if(date_hour>00 AND date_hour<13 AND count>11, "low",if(date_hour >= 14 AND date_hour < 24 AND count > 11, "severe", range))

My question is : when my search returns no result, the range isn't severe because Splunk no consider that count is 0. So I don't know how can my search takes account when the search returns no result.

Thx by advance,

Laura

emiller42 · ‎06-12-2012

I would try this:
Instead of stats, use timechart. That will retain the buckets with no results, which is the root of your problem. Then you can apply the rangemap, eval date_hour, and apply your final eval.

Like the following:

source="tcp:5543" Requester="uka*" hostname="L05236" earliest=@h latest=now | timechart span=1h count | rangemap field=count severe=0-0 elevated=1-50 default=low  | eval date_hour=strftime(_time, "%H") | eval range=if(date_hour > 00 AND date_hour < 13 AND count > 11, "low",if(date_hour >= 14 AND date_hour < 24 AND count > 11, "severe", range))

search : no result / single

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life