Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me search to return results even if there are none available?

ryhluc01
Communicator
‎01-14-2019 08:50 AM

I have 2 source types that run every morning at 8:30am.

If 1 or more does not, I need to still see the source types as having a value of 0 instead of displaying "No results found. Try expanding the time range.".

Overall: I need all the specified source type names to be returned within the results so that I can assign a value of 0 to them.

This is what I have: 

index=example sourcetype=exp1 OR sourcetype=exp2
| stats count(_time) as count by sourcetype

The above syntax will let me know how many reports ran in the last 24 hrs at the time we specified (which is what I want).

But, in the event that 1 or both or these reports fail to run, I need to still be able to see each source type within my results.

I would like to assign a 0 value to the count for the source type that didn't generate any results.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-14-2019 10:55 AM

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

CryoHydra
Path Finder
‎04-09-2019 04:04 AM 
index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count(_time) as total_count eval(count(sourcetype="exp1") as ex1_count eval(count(sourcetype="exp2")) as ex2_count by index

This is another tweak you can employ in your search 😉

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-14-2019 10:55 AM

@ryhluc01 try the following search:

index=example sourcetype=exp1 OR sourcetype=exp2 
| stats count by sourcetype 
| append 
    [| makeresults 
    | fields - _time 
    | eval sourcetype="exp1,exp2" 
    | makemv sourcetype delim=","
    | mvexpand sourcetype 
    | eval count=0] 
| dedup sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

ryhluc01
Communicator
‎01-14-2019 11:10 AM

@niketnilay You're amazing. This worked perfectly. Thank you so much for your input ^_^

Reply
Solved! Jump to solution

niketn
Legend
‎01-14-2019 01:05 PM

Glad you found this working!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

zonistj
Path Finder
‎01-14-2019 10:16 AM

Are you wanting to do this in a dashboard on inline in a search?

0 Karma
Reply
Solved! Jump to solution

ryhluc01
Communicator
‎01-14-2019 11:06 AM

inline search

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...