Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to display "Incomplete" ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jnichols914
Explorer
12-21-2016
09:07 AM
Hi Everyone,
I've looked over the answers for my problem, but I can't seem to get this working correctly. Here is what I want: If I do not find a log for my search, I want my single value dashboard widget to state "Incomplete" and show it in red font. I've got the the single value working if my search is found. Any help would be awesome.
Search that Picks up log correctly, but need it to say "Not Complete" if log is not found:
<query goes here> | eval status=if(like(_raw, "%gcmMtmReports%"), "EU Run Completed", "EU Run Not Complete") | eval status="EU Run Completed" | dedup status | eval status=if(isnull(status),"Not Complete!", status) | table status | eval range=if(status="EU Run Completed","low","severe")
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jnichols914
Explorer
12-21-2016
12:04 PM
OK, So I figured out a solution. Not exactly what I wanted, but this works with what we are trying to do. Please see my XML below. This should help people for the future.
<panel>
<title>Blah</title>
<single>
<search>
<query><query goes here" | stats count as "Reports Generated" |untable _time count value | eval range=if(value==0,"severe","low")</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<option name="underLabel">Green = Completed | Red = Incomplete</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-21-2016
12:08 PM
Give this a try. If you query has no data, it'll a row with status="Not Complete!" with range="severe"
<query goes here> | eval status=if(like(_raw, "%gcmMtmReports%"), "EU Run Completed", "EU Run Not Complete") | eval status="EU Run Completed" | dedup status | eval status=if(isnull(status),"Not Complete!", status) | table status | eval range=if(status="EU Run Completed","low","severe") | appendpipe [| stats count| where count=0 | eval status="Not Complete!" | eval range="severe" | table status, range]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jnichols914
Explorer
12-21-2016
12:04 PM
OK, So I figured out a solution. Not exactly what I wanted, but this works with what we are trying to do. Please see my XML below. This should help people for the future.
<panel>
<title>Blah</title>
<single>
<search>
<query><query goes here" | stats count as "Reports Generated" |untable _time count value | eval range=if(value==0,"severe","low")</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<option name="underLabel">Green = Completed | Red = Incomplete</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-21-2016
10:43 AM
See if this works
| eval status=if(like(_raw, "%gcmMtmReports%"), "Completed", "NotComplete")
| stats count by status
| eval "Completed"=if(isnull(Completed) OR Completed=0, "Not Complete", "EU Run Completed")
| table "Completed"
| eval range=if(status="EU Run Completed", "low", "severe")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jnichols914
Explorer
12-21-2016
11:08 AM
Sundareshr,
If my log exsists, your query is returning "Not Complete" and in red. So, it did not fix the issue.
Get Updates on the Splunk Community!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
Splunk APM: New Product Features + Community Office Hours Recap!
Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...
Index This | Forward, I’m heavy; backward, I’m not. What am I?
April 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
