Dashboards & Visualizations

Singlevalue display 0 instead of N/A

ipops
Path Finder

I have a simple search

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count

This value is displayed as a SingleValue on a dashboard. Problem is when the search returns no results, the Singlevalue Displays N/A.
How can i make it display 0 if no search results are returned?

I tried | fillnull 0 but made no difference

Tags (1)
0 Karma

inventsekar
Ultra Champion

Hi ipops, tested and this works fine.. thanks to Sundaresh Sir.
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2

0 Karma

sundareshr
Legend

Try this

index=_internal | timechart span=1h count | append [|makeresults | eval count=0 | table _time count] | head 2

*OR*

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2
0 Karma

ipops
Path Finder

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count

That worked. Issue now is my singlevalue trendline option disappeared

0 Karma

dbcase
Motivator

Thats because there is not time reference. Try adding by _time to the end.

0 Karma

ipops
Path Finder

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time

This restores the sparkline value but shows N/A if no search results are found. I need to display 0 if the search returns nothing

0 Karma

dbcase
Motivator
0 Karma

inventsekar
Ultra Champion

from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| eval isEvent=if(searchmatch("source"),1,0)
| stats count as myCount sum(isEvent) AS isEvent
| eval result=if(isEvent>0, isEvent, myCount)
| table result

0 Karma

inventsekar
Ultra Champion

from this above post, lets try this one -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats count as myCount
| eval result=if(myCount == 0, 0, myCount)
| stats result by _time

0 Karma

ipops
Path Finder

That search fails

Error in 'stats' command: The argument 'result' is invalid.

0 Karma

inventsekar
Ultra Champion

ok, lets try this -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time

0 Karma

inventsekar
Ultra Champion

Hi, may i know if this search works fine -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2"
| stats sum(eval(if(isnull(_time),0,1))) as count by _time

0 Karma

ipops
Path Finder

sorry no, All of the searches provided work fine if there is a search result. If nothing is returned the singlevalue is blank instead of displaying 0

0 Karma

inventsekar
Ultra Champion

lets check this -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time | replace "N/A" WITH "0" IN Count
or
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count by _time | replace "N/A" WITH "0"

0 Karma

inventsekar
Ultra Champion

to get the singlevalue trendline option, please check -
sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | timechart count

0 Karma

ipops
Path Finder

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count | timechart count

This returns the sparkline but shows N/A if no search results are found

0 Karma

dbcase
Motivator
0 Karma

inventsekar
Ultra Champion

please check this one -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count as Count

or, maybe -

sourcetype=ivrdata IVR_Message="Platform" IVR_Value="2" | stats count as Count

tested and this works fine -

sourcetype=ivrdata | where IVR_Message="Platform" AND IVR_Value="2" | stats count by _time | accum count | append [|makeresults | eval count=0 | table _time count] | head 2
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...