How to Display Custom Message in Place of “No results found.” in SPLUNK Dashboard

We are all familiar with “No results found.”  message in splunk ,this is the most common error message in Splunk. This happens due to two reasons.

  • When we put incorrect field names.
  • When we didn’t get any data in the given time range in spite of giving the correct field names.

Samples:

Here we have given the wrong field name as “bytessss”. There is no such existing field name in the “_internal” index.

SC_1

Here we have given the right field name as “method” . There is no data in the given time range. Here we have given the time range as 10 seconds.

sc1

Save the query to the dashboard

sc2

In the above screen shot you can see error message “No results found.”.

Now we will display the custom message in spite of this. Below we have given the example.

sc3

Here we have displayed the “PODA LOOSEEEEEEEE !!” in spite of “No results found.”.

 

Source code of the dashboard

You have to load your dashboard. Then on the top right corner you will find the edit option . If you click on that you will find the source option  on the top left corner. You have to edit the source code of your dashboard.

SC_3

Here we have given an id of the main search as “search_logic” .Then we have written our query.After that we have set  condition where we have to check the condition if job result is equal to zero then one token “show_html” will be set .You have to write the condition as  match=”$job.resultCount$ == 0”.Otherwise the token will be unset.

SC_4If the search returns any value that means the condition is false then the table will reject the token and will use its main search using the id which we have given at first. If the search returns no result that means the condition is true the token will be set and display the output as “PODA LOOSEEEEEEEE !!” . Here we have used “depends” for hiding the message when the condition is false.

Note :

  •  Also you can show this custom message if you done some syntax error like
    index=_internal sourcetype=splunkd_ui_access 
    | eval New_Field=if(method=”GET”,”UP”, )
    Here we don,t put the else part in if function.
  • But this fails to show this custom message if you write wrong command like 
    index=_internal sourcetype=”splunkd_ui_access” | toppy method
    Here we have put “toppy” after pipe so there is no such command in Splunk . It will show error like “Search Factory: Unknown search command ‘toppy’.”

 

Hope this has helped you in achieving the below requirement without fail :

How to Display Custom Message in Place of “No results found.” in SPLUNK Dashboard

Happy Splunking !!

 

Advertisements