- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk display 0 when no results found from la...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk display 0 when no results found from last x minutes
Hi Team,
Need help in creating a query.
I want to display 0 when no data/events found. But I am getting "No results found. Try expanding the time range."
either by using "fillnull value =0" or "eval Data=if(isnull(Data),0,Data)". but no result.
I am using query as :
sourcetype=systems earliest=-15m
| timechart span=1m count as Data
| eval Data=if(isnull(Data),0,Data)
OR
sourcetype=systems earliest=-15m
| timechart span=1m count as Data
| fillnull value=0 Data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sahil237888 try one of my older answers you can use $job.resultCount$ inside search event handler for above query and if the count is 0 unset the token to show a different panel with 0 count using rejects otherwise display the time chart. The answer in discussion also talks about showing empty timechart for 0 result count if required.
https://answers.splunk.com/answers/595248/timechart-with-no-data-gives-no-results-found.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @niketnilay,
Actually the thing is I am creating an alert so $job.resultcount$ can work only with dashboards but not with query.
Any suggestion on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is the second option I mentioned which is explained in the message of my answer above.
Have you tried adding the following appendpipe to your existing search?
sourcetype=systems earliest=-15m
| timechart span=1m count as Data
| fillnull value=0 Data
| appendpipe
[| makeresults
| bin _time span=1m]
| dedup _time
| fillnull value=0 Data
Following is a run anywhere example based on the answer posted in the above answer:
index=_internal sourcetype=splunkd log_level=ERROR
| timechart span=1m count as Data
| appendpipe
[| makeresults
| bin _time span=1m]
| dedup _time
| fillnull value=0 Data
| makeresults | eval message= "Happy Splunking!!!"
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
