- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timechart - Replace "No Results Found" with "N...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello (again),
To go along with my previous question regarding using span=10 minutes using the following search:
index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse
I'm using "today" in the time-picker
This works fine with searches that have data for today. However; some of my searches do not have any activity for today, so the search comes up with "No Results Found".
I would like to replace "No Results Found" with "No Activity for Today". Is this possible and how is this done?
Again, many thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This question is a duplicate of this one: https://answers.splunk.com/answers/129774/change-no-results-found-message.html
That question hasn't been answered, but I am pretty sure the answer is no, or at least, not directly.
The HTML text is not defined in any way that is easily changed via CSS.
Instead, you can add a message block to your SimpleXML that you can control. Here is the generic pattern you can use in SimpleXML
<html depends="$search_msg$">
<h3 style="margin: 60px 0 50px 10px;">$search_msg$</h3>
</html>
<chart rejects="$search_msg$">
<search>
<query>
index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse
</query>
<done>
<condition match="'job.resultCount' > 0">
<unset token="search_msg"/>
</condition>
<condition>
<set token="search_msg">No Activity Found</set>
</condition>
</done>
</search>
...
</chart>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This question is a duplicate of this one: https://answers.splunk.com/answers/129774/change-no-results-found-message.html
That question hasn't been answered, but I am pretty sure the answer is no, or at least, not directly.
The HTML text is not defined in any way that is easily changed via CSS.
Instead, you can add a message block to your SimpleXML that you can control. Here is the generic pattern you can use in SimpleXML
<html depends="$search_msg$">
<h3 style="margin: 60px 0 50px 10px;">$search_msg$</h3>
</html>
<chart rejects="$search_msg$">
<search>
<query>
index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse
</query>
<done>
<condition match="'job.resultCount' > 0">
<unset token="search_msg"/>
</condition>
<condition>
<set token="search_msg">No Activity Found</set>
</condition>
</done>
</search>
...
</chart>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I wanted. Thank you!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
