Solved: Re: Change the ''Waiting for data... '' message wi...

andrei1bc · ‎02-18-2016

My search :

  index=test
  | where Value>=95
  | stats count(Value) as Events by Host

The result :

if there are values above 95 a table will be created by Host and number of Events per host
if there are no values above 95 i would like to return just a message "test" or an Event field as 0

vasildavid · ‎02-18-2016

Try replacing the 'where' with an eval in your stats command:

index=test
| stats count(eval(Value>=95)) AS Events by Host

That should result in either a count of your events that have the field Value >= 95 or 0 if no events meet that criteria.

View solution in original post

jeffland · ‎02-18-2016

Generally, try to limit the data you search over as early as possible. In your case, instead of

index=test | where Value>=95

you do

index=test Value>=95

This will speed up your searches a lot, because splunk has to fetch a lot less events from disk.

vasildavid · ‎02-18-2016

Try replacing the 'where' with an eval in your stats command:

index=test
| stats count(eval(Value>=95)) AS Events by Host

That should result in either a count of your events that have the field Value >= 95 or 0 if no events meet that criteria.

andrei1bc · ‎02-18-2016

The result for me is a table with multiple hosts and a 0 under Events. Can this be refined to just return a general 0 or message if there are no values above 95 (instead of multiple lines, just 1) ?

andrei1bc · ‎02-18-2016

haha .. never mind ... just remove the Host at the end ...

  index=test
  | stats count(eval(Value>=95)) AS Events

Change the ''Waiting for data... '' message with a value or word

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?