How to Display Custom Message in Place of “No results found.” in SPLUNK Dashboard
We are all familiar with “No results found.” message in splunk ,this is the most common error message in Splunk. This happens due to two reasons.
- When we put incorrect field names.
- When we didn’t get any data in the given time range in spite of giving the correct field names.
Samples:
Here we have given the wrong field name as “bytessss”. There is no such existing field name in the “_internal” index.
Here we have given the right field name as “method” . There is no data in the given time range. Here we have given the time range as 10 seconds.
Save the query to the dashboard
In the above screen shot you can see error message “No results found.”.
Now we will display the custom message in spite of this. Below we have given the example.
Here we have displayed the “PODA LOOSEEEEEEEE !!” in spite of “No results found.”.
You have to load your dashboard. Then on the top right corner you will find the edit option . If you click on that you will find the source option on the top left corner. You have to edit the source code of your dashboard.
Here we have given an id of the main search as “search_logic” .Then we have written our query.After that we have set condition where we have to check the condition if job result is equal to zero then one token “show_html” will be set .You have to write the condition as match=”$job.resultCount$ == 0”.Otherwise the token will be unset.
If the search returns any value that means the condition is false then the table will reject the token and will use its main search using the id which we have given at first. If the search returns no result that means the condition is true the token will be set and display the output as “PODA LOOSEEEEEEEE !!” . Here we have used “depends” for hiding the message when the condition is false.
Note :
- Also you can show this custom message if you done some syntax error like
index=_internal sourcetype=splunkd_ui_access
| eval New_Field=if(method=”GET”,”UP”, )
Here we don,t put the else part in if function. - But this fails to show this custom message if you write wrong command like
index=_internal sourcetype=”splunkd_ui_access” | toppy method
Here we have put “toppy” after pipe so there is no such command in Splunk . It will show error like “Search Factory: Unknown search command ‘toppy’.”
To download the source code of this dashboard click here
Hope this has helped you in achieving the below requirement without fail :
How to Display Custom Message in Place of “No results found.” in SPLUNK Dashboard
Happy Splunking !!
Still I am not seeing default message of splunk. “No results found.”
Correction for my previous comment. Actually I am still seeing default message of splunk. “No results found.”