I've read about the many ways to have a dashboard panel show something other than "No results found", but none of them meet my goal. If the search on my panel yields no events, what I want to do is to construct the same output that would typically appear, the only difference being that the count
attribute of each field value will be 0.
Details: The final piece of my search is .... AND (Type = "Critical" OR Type = "Error") | stats count by Type
. So, if events are returned, and there is at least one each Critical
and Error
, then I'll see one field (Type)
with two values (Critical and Error)
. The count attribute for each value is some positive, non-zero value, e.g., if there are 5 Critical
and 6 Error
, then:
Type count
Critical 5
Error 6
So, how do I use, e.g., append
or appendpipe
to produce field Type
with value Critical
, count=0 and value Error
, count = 0?
Type count
Critical 0
Error 0
Hi @williamcharlton0028
Try like
yourquery| stats count by Type
| appendpipe
[| stats count
| where count=0
| eval Type="Critical",count=0
| appendpipe
[| eval Type="Error",count=0]]
Hi @williamcharlton0028
Try like
yourquery| stats count by Type
| appendpipe
[| stats count
| where count=0
| eval Type="Critical",count=0
| appendpipe
[| eval Type="Error",count=0]]
@vnravikumar works well except that it appends unconditionally, i.e., in my dashboard panel, when results are returned, I have two Critical
values (>0 and 0) and two Error
values (>0 and 0). Should append only when query returns no results. I see the | where count==0
but its apparently not working
Try this
| appendpipe
[| stats count
| where count=0
| eval Type="Critical",count=0
| appendpipe
[| eval Type="Error",count=0]]
@vnravikumar That did it. So, you changed it so that | eval Type="Critical",count=0 | appendpipe [| eval Type="Error",count=0]
is performed only when count == 0. I see - thank -you
if resolved, please accept.
@ vnravikumar: accepted. Please update your original answer for future viewers?
thanks. I had updated
@williamcharlton0028,
Try adding this to your search
| append
[| stats count
| eval Type ="Critical,Error"
| makemv Type delim=","
| mvexpand Type ]
| stats max(count) as count by Type
Give this a try
.... AND (Type = "Critical" OR Type = "Error") | stats count by Type
| appendpipe [| stats count | where count=0 | eval Type="Critical Error" | makemv Type | mvexpand Type]