Splunk Search

How to display "0" instead of "No Results Found"

auaave
Communicator

Hi guys!

I have the below query for a Single Value Dashboard Panel. It is counting the daily total error duration of the system.
My problem with this is, when there is no error, it displays "No Results Found" instead of "00:00:00" or "0".

How can I fix this?

| stats sum(DURATION) AS "DURATION" 
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60) 
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) 
| eval Time=HOURS.":".MINUTES.":".SECONDS
| fields + Time
0 Karma
1 Solution

micahkemp
Champion

Try this:

| append [|makeresults | eval DURATION=0]
| stats sum(DURATION) AS DURATION 
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60) 
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) 
| eval Time=HOURS.":".MINUTES.":".SECONDS 
| fields + Time

The append line adds a dummy event, so that there is always at least one event.

Edit: actually, I think this may be more reasonable:

 | stats count, sum(DURATION) AS DURATION
 | fillnull value=0 DURATION
 | eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60) 
 | eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) 
 | eval Time=HOURS.":".MINUTES.":".SECONDS 
 | fields + Time

View solution in original post

joesrepsolc
Communicator

Thanks for sharing... just used this fillnull function. Perfect!

0 Karma

micahkemp
Champion

Try this:

| append [|makeresults | eval DURATION=0]
| stats sum(DURATION) AS DURATION 
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60) 
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) 
| eval Time=HOURS.":".MINUTES.":".SECONDS 
| fields + Time

The append line adds a dummy event, so that there is always at least one event.

Edit: actually, I think this may be more reasonable:

 | stats count, sum(DURATION) AS DURATION
 | fillnull value=0 DURATION
 | eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60) 
 | eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) 
 | eval Time=HOURS.":".MINUTES.":".SECONDS 
 | fields + Time

auaave
Communicator

@micahkemp, thanks for your reply! It is still showing "No Results Found" on the Dashboard.

0 Karma

micahkemp
Champion

Edited my answer. My initial search caused there to always be events, but DURATION was absent, which is why my search worked when testing but not for you. I've updated it to work even when no events are present.

0 Karma

auaave
Communicator

It worked!
Thanks a lot @micahkemp!

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...