showing table despite no results

lostcauz3 · ‎12-06-2021

TYPE	Month	KPI_1	KPI_2
GLOBAL	Oct'21	76	24
LOCAL	Oct'21	46	67

I'm searching the table like | search TYPE="GLOBAL" | search Month="Oct'21"

Then i'm transposing the table after deleting the months field

| fields - Month | transpose header_field=TYPE column_name=KPI

My problem is sometimes when I'm searching something that is not there like Month="Sep'21"

only the first column of the transposed table is coming

like

KPI

KPI_1

KPI_2

How to show no results found instead of this 1 column table

PickleRick · ‎12-12-2021

| foreach * 
[ eval r=if(<<FIELD>>!="kpi",coalesce(r,<<FIELD>>),r)]
| where r!=kpi
| fields - r

yuanliu · ‎12-12-2021

You may want to post sanitized code to show how different conditions cause the first column to remain when no data return from searches and filters.

In my testing, the only way the first column after transpose remain when filters return no data is if the filter like Month="Sep'21" is positioned AFTER the filter to remove Month from the table. The following table illustrates two code examples that produce different outputs after transpose. The first one is your desired outcome, the second the erroneous outcome.

1. No table

2. Table with first column

| search Type=Global
| search Month="Sept'21"

| fields - Month

| transpose header_field=TYPE column_name=KPI

| search Type=Global

| fields - Month

| search Month="Sept'21"
| transpose header_field=TYPE column_name=KPI

I do not know what causes the second code to show a first column, but the second code is incorrect in that searching for a field that is explicitly dropped is pointless.

showing table despite no results

fields

stats

table

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?