All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Status Indicator Visualization with no events found (count should be set to 0 instead of NULL)

brandonbachman
Engager
‎01-06-2020 06:56 PM

I am using the following query to create a visualization that turns green if there are events, and if there are no events the background turns red.

server="SERVER-1"
| stats count by server
| eval server="SERVER-1", color=if(count<=0, '#dc4e41", "#65a637"),icon=if(count<=0,"times-circle","check-circle")
| table server icon color count

The visualization works correctly when there are events found (the background is green with a check icon).
However, when there are no events found, a message appears that says "No results found. Try expanding the time range."

Instead of "No results found" I would like count to be set to 0 which will make the background turn to red and make the icon change.
How do I make it so count is set to 0 so that the values for color and icon change to red and "times-circle"?

When there are no events I need count to be set to 0 instead of null

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎01-06-2020 10:12 PM

Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:

 | appendpipe [stats count | where count=0]

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎01-06-2020 10:12 PM

Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:

 | appendpipe [stats count | where count=0]
Reply
Solved! Jump to solution

joshimeister
Loves-to-Learn Lots
‎07-16-2020 04:06 PM

Hello @493669 ,

Im running into the same issue with the 0 value. Not sure what im doing wrong. I tried your suggestion but that didnt work for me.

Original query without your suggestion:

<query><basic query> error_field="*CRASHED*"
 | rex field=error_field "<error field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color</query>

 

With your suggestion:


<query><basic query> error_field="*CRASHED*"
 | rex field=error_field "<error_field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color
| appendpipe [stats count | where crashed_count=0]</query>

  

0 Karma
Reply
Solved! Jump to solution

brandonbachman
Engager
‎01-07-2020 11:12 AM

That worked, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...