Synopsis
A function that marks non-matched events as 0 instead of 'No Results Were Found'. Mostly recommended for monitor usage which you would like to be alerted in case of none matched events to your query.
Syntax
set emptylogs
Required Arguments
count aggregation before the function
Optional Arguments
None
Description
When used following the initial simple search query, returns the number of events resulting from the search. When used iteratively, counts the number of results returned from the complex search preceding the pipe. In case of no matched events - returns 0.
Examples
Example 1:
ResponseStatus >= 400 in log.access | count | set emptylogs
Returns the number of events in log access which their Response Status value is greater than 400, 0 if no events at all.