- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to show custom message
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to show custom message
Below is the source of my code. I want to display "A Custom Message" instead of "No results found" I tried many ways but still it shows me No results found. How can i do that and when I've results i want to see the bar chart with tableName which somehow is not showing now. My Splunk Version is 7.0.1
My Query: index=index sourcetype="sourcetype" TableName=* ErrorTotal>0
| chart sum(Errors) as "Error Row",sum(When) as "Conditional Rows",sum(NULL) as "NULL" by TableName
TestDashboard index=index sourcetype="sourcetype" TableName=* ErrorTotal>0 | chart sum(Errors) as "Error Row",sum(When) as "Conditional Rows",sum(NULL) as "NULL" by TableName -24h@h now 1 ellipsisNone 0 visible visible visible none linear none linear none 0 inherit bar 50 10 area gaps none 0.01 default minimal none 0 0 ellipsisMiddle standard right 2 0 1 medium
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=index sourcetype="sourcetype" TableName=* ErrorTotal>0
| chart sum(Errors) as "Error Row",sum(When) as "Conditional Rows",sum(NULL) as "NULL" by TableName
| appendpipe [| stats count | where count=0 | eval Message="Your Custom Message Here" | table Message]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Somesoni2 for your response. I tried this earlier and it doesn't still shows the custom message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was a missing double quotes which I added now.
I got similar query working for me. See this runanywhere sample search , need access to _internal index in order to run it. Just add some dummy keywords in the base search so that it will not return anything.
index=_internal sourcetype=scheduler result_count>0| chart sum(result_count) as ResultCount sum(run_time) as "RunTime" by status | appendpipe [| stats count | where count=0 | eval Message="Custom"| table Message]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I saw there was a missing quotes and added that. I tried the sample query as well but still I see my chart with lines when there're no results instead of custom message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you do see a table with custom message in Statistics tab? What should your bar chart show when there are no results.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I see the custom message in statistics tab. It still shows me empty bar chart.
If in case there're no result Instead of showing an empty bar chart I wanted to show a custom message eg. "No errors Found".
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
