Solved: Timechart: How to show "0"when no results found

kryzew · ‎12-08-2020

Hello,

I'm try go get "0" in my result when there is no events. I get only "no result found".

index=*mysearch
| timechart count as count
| accum count as count

Any idea?

rafamss · ‎12-08-2020

Hey,

Did you see this topic: https://community.splunk.com/t5/Splunk-Search/Timecharts-and-how-to-avoid-quot-no-results-found-insp...
They resolved the same problem that you are facing.

View solution in original post

kryzew · ‎12-10-2020

First solution work for me fine, thank you both for your help.

BR

rafamss · ‎12-08-2020

Hey,

Did you see this topic: https://community.splunk.com/t5/Splunk-Search/Timecharts-and-how-to-avoid-quot-no-results-found-insp...
They resolved the same problem that you are facing.

tonyread · ‎12-08-2020

| makeresults 1 
| timechart count span=1m 
| eval flag=1 
| append 
    [ search index=doesnotexist 
    | timechart count span=1m] 
| timechart sum(eval(flag!=1)) as count 
| fillnull count

Not the most elegant but this might do what you're looking for. Use the makeresults command to force a single result, which you can then do a timecount on, and append that with your actual search (index=*mysearch). If that now returns 0 results, the first search forces in its results and avoids the "no results found" message. I've asumed you want span=1m. You can experiment with this.

Of course, if you just want a single zero as your result, not a table of zeros as in my solution, then that requires a different approach.

Timechart: How to show "0"when no results found

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases