Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Using Status Indicator Visualization with no e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the following query to create a visualization that turns green if there are events, and if there are no events the background turns red.
server="SERVER-1"
| stats count by server
| eval server="SERVER-1", color=if(count<=0, '#dc4e41", "#65a637"),icon=if(count<=0,"times-circle","check-circle")
| table server icon color count
The visualization works correctly when there are events found (the background is green with a check icon).
However, when there are no events found, a message appears that says "No results found. Try expanding the time range."
Instead of "No results found" I would like count to be set to 0 which will make the background turn to red and make the icon change.
How do I make it so count is set to 0 so that the values for color and icon change to red and "times-circle"?
When there are no events I need count to be set to 0 instead of null
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:
| appendpipe [stats count | where count=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brandonbachman,
as per solution from @woodcock -
Add this to the bottom of your search SPL string:
| appendpipe [stats count | where count=0]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @493669 ,
Im running into the same issue with the 0 value. Not sure what im doing wrong. I tried your suggestion but that didnt work for me.
Original query without your suggestion:
<query><basic query> error_field="*CRASHED*"
| rex field=error_field "<error field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color</query>
With your suggestion:
<query><basic query> error_field="*CRASHED*"
| rex field=error_field "<error_field content extracted with rex command>"
| stats count AS crashed_count BY app_name,org_name,space_name,name,crash_reason
| rangemap field=crashed_count #65a637=0-0 #F93208=1-9 #f58f39=10-99 #d93f3c=100-10000 default=#65a637
| rename range as range_color
| rangemap field=crashed_count ambulance=0-0 optin-monster=1-9 warning=10-99 stethoscope=100-10000 default=ambulance
| rename range as range_icon
| table crashed_count range_icon range_color
| appendpipe [stats count | where crashed_count=0]</query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked, thank you!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
Your summer travels continue with new course releases
