Splunk Search

How to handle gracefully "No Results Found"

splunking1t
New Member

Hello,
I've the below query. I wanted to know when there're no errors, instead of showing "No Results Found", how can I show a customized message to the user.
My Query:
index=index sourcetype="sourcetype" SqlTable=* TotalError>0
| chart sum(Errors) as Errors , sum(IfClause) as ClauseErrors by SqlTable

Note: "TotalError" is a calculated field that provides me a sum of "Errors+IfClause". Is there a way to show desired text on output apart from uploading a CSV file?

Tags (1)
0 Karma
1 Solution

niketn
Legend

@splunking1t, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper example, to show your custom message in case no result is found by the search query.

https://answers.splunk.com/answers/595248/timechart-with-no-data-gives-no-results-found.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@splunking1t, get the Splunk Dashboard Examples app from Splunkbase and check out Null Result Swapper example, to show your custom message in case no result is found by the search query.

https://answers.splunk.com/answers/595248/timechart-with-no-data-gives-no-results-found.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2
SplunkTrust
SplunkTrust

Another option is using the appendpipe

index=index sourcetype="sourcetype" SqlTable=* TotalError>0
| chart sum(Errors) as Errors , sum(IfClause) as ClauseErrors by SqlTable
| appendpipe [| stats count | where count=0 | eval message="Your Custom Message Here" | table message
| rename COMMENT as "The appendpipe will add a row with your custom message if search above returns nothing(count=0)"  ]
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi splunking1t,

take a look at this answer https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html where I explain it in detail how this can be done.

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...