Splunk Search

show empty table instead of no results found

jeroenborger
Explorer

hello splunk communitie, i am new to splunk but found allot of information allready but i have a problem with the given statement down below. in normal situations this search should not give a result. but then it shows as no results found and i want that is just shows 0 on all fields in the table. but when there are results it needs to show the results and not the 0.

i tried to do it with a eval if statement.
i tried it with the fillnull statement.

index=msad OR windows OR wineventlog host=%hostname% EventCode=4897 NOT (user="*$" OR user="-")

| dedup _time
| stats count,Values(Token_Elevation_Type) as "Token" by user Token_Elevation_Type
| table host,user,count,Token
| sort - count

greetings Jeroen

0 Karma
1 Solution

renjith_nair
Legend

@jeroenborger ,

try

| appendpipe [|stats count|where count=0]|fillnull value=0 host,user,Token

In b/w fields in your stats command and table command does not match. You might see null for those fields which are not part of your stats, for e.g. host.

index=msad OR windows OR wineventlog host=%hostname% EventCode=4897 NOT (user="*$" OR user="-") 
| dedup _time 
| stats count,Values(Token_Elevation_Type) as "Token" by user Token_Elevation_Type
| appendpipe [|stats count|where count=0]|fillnull value=0 Token,user,Token_Elevation_Type
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@jeroenborger ,

try

| appendpipe [|stats count|where count=0]|fillnull value=0 host,user,Token

In b/w fields in your stats command and table command does not match. You might see null for those fields which are not part of your stats, for e.g. host.

index=msad OR windows OR wineventlog host=%hostname% EventCode=4897 NOT (user="*$" OR user="-") 
| dedup _time 
| stats count,Values(Token_Elevation_Type) as "Token" by user Token_Elevation_Type
| appendpipe [|stats count|where count=0]|fillnull value=0 Token,user,Token_Elevation_Type
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

jeroenborger
Explorer

thanks your statement works like i want 🙂 thank you for the help!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...