Hello All,
I am trying to make it so that when a search string returns the "No Results Found" message, it actually displays a zero.
Here's what I am trying to achieve. I have a single value panel. I have this panel display the sum of login failed events from a search string. However, when there are no events to return, it simply puts "No results found" or "N/A". I want this to display a 0 as it is much easier on the eye (you know there were no results as opposed to thinking "did my search fail?").
Here's the search I have so far that will either return the sum of all failed login events, or the "No results found" message:
index=infrastructure
sourcetype=linux_secure
"Too many authentiction failures"
| rex "failures for (?<account>[\w\.]+)"
| search account=* host=*
| stats count as failures by account
| stats sum(failures) as sub_failures
| eval total_failures = if(isnull(sub_failures),"0",sub_failures
| fields total_failuress
It will return the total number of login failed events if any are generated. However if there are none, it will display "No results found" hwere I really want it to just display 0.
Anyone willing to help a buried Splunker 😛
... View more