Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart - Replace "No Results Found" with "No Activity for Today"

TheJagoff
Communicator
‎07-19-2017 07:12 AM

Hello (again),

To go along with my previous question regarding using span=10 minutes using the following search:
index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse

I'm using "today" in the time-picker

This works fine with searches that have data for today. However; some of my searches do not have any activity for today, so the search comes up with "No Results Found".

I would like to replace "No Results Found" with "No Activity for Today". Is this possible and how is this done?
Again, many thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎07-19-2017 07:24 AM

This question is a duplicate of this one: https://answers.splunk.com/answers/129774/change-no-results-found-message.html

That question hasn't been answered, but I am pretty sure the answer is no, or at least, not directly.

The HTML text is not defined in any way that is easily changed via CSS.

Instead, you can add a message block to your SimpleXML that you can control. Here is the generic pattern you can use in SimpleXML

<html depends="$search_msg$">
  <h3 style="margin: 60px 0 50px 10px;">$search_msg$</h3>
</html>
<chart rejects="$search_msg$">
  <search>
    <query>
       index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse
    </query>
    <done>
      <condition match="'job.resultCount' > 0">
        <unset token="search_msg"/>
      </condition>
      <condition>
        <set token="search_msg">No Activity Found</set>
      </condition>
    </done>          
  </search>
  ...
</chart>

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎07-19-2017 07:24 AM

This question is a duplicate of this one: https://answers.splunk.com/answers/129774/change-no-results-found-message.html

That question hasn't been answered, but I am pretty sure the answer is no, or at least, not directly.

The HTML text is not defined in any way that is easily changed via CSS.

Instead, you can add a message block to your SimpleXML that you can control. Here is the generic pattern you can use in SimpleXML

<html depends="$search_msg$">
  <h3 style="margin: 60px 0 50px 10px;">$search_msg$</h3>
</html>
<chart rejects="$search_msg$">
  <search>
    <query>
       index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse
    </query>
    <done>
      <condition match="'job.resultCount' > 0">
        <unset token="search_msg"/>
      </condition>
      <condition>
        <set token="search_msg">No Activity Found</set>
      </condition>
    </done>          
  </search>
  ...
</chart>
Reply
Solved! Jump to solution

TheJagoff
Communicator
‎07-19-2017 08:29 AM

This is exactly what I wanted. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...