https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362234#M107004 <PRE><CODE>[ search earliest=-24h@h latest=now index="si_errors" sourcetype="si_LateEnd" | dedup ClientID | append [| makeresults | eval ClientID = "NobodyReallyButThereHasToBeSomebody"] | table ClientID ] </CODE></PRE> Thu, 10 Aug 2017 22:05:12 GMT DalJeanis 2017-08-10T22:05:12Z https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362233#M107003 <P>Search: <BR /> source=<EM>D:\XSP\importhelper</EM> source=<EM>IH_Daily\DebugImportHelper</EM> End<BR /> | eval dayBuffer=strftime(now(), "%d") | eval day=ltrim(tostring(dayBuffer),"0") <BR /> | eval todayBuffer=strftime(now(), "%m_"+day+"_%Y") | eval today=ltrim(tostring(todayBuffer),"0") | where like(source,"%".today."%")<BR /> | rex field=source "importhelpers\+(?ClientID[^\]+)"<BR /> | where (ClientID="WHI") OR (ClientID="IRM")<BR /> | where NOT [ search earliest=-24h@h latest=now index="si_errors" sourcetype="si_LateEnd" | dedup ClientID | table ClientID ] | table ClientID, ...data for each ClientID returned, etc.</P> <P>IF I have results in the sub-search for the "where NOT" clause to compare against then I have no problems and it takes out the ClientIDs I do not want to see. However, if the sub-search is empty (the log files being monitored on sourcetype="si_LateEnd" have not been changed in the last 24 hours) then I get the error:<BR /> "Error in 'where' command: The 'not' function is unsupported or undefined"</P> <P>In this case, based on the above search, I would want to return data for ClientIDs "WHI" and "IRM", rather than get an error. What possible work around is there for this error in my case?</P> Tue, 29 Sep 2020 15:18:28 GMT https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362233#M107003 griffinpair 2020-09-29T15:18:28Z https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362234#M107004 <PRE><CODE>[ search earliest=-24h@h latest=now index="si_errors" sourcetype="si_LateEnd" | dedup ClientID | append [| makeresults | eval ClientID = "NobodyReallyButThereHasToBeSomebody"] | table ClientID ] </CODE></PRE> Thu, 10 Aug 2017 22:05:12 GMT https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362234#M107004 DalJeanis 2017-08-10T22:05:12Z https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362235#M107005 <P>This works perfect! Thank you so much!</P> Fri, 11 Aug 2017 13:48:56 GMT https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/362235#M107005 griffinpair 2017-08-11T13:48:56Z https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/541388#M153278 <P>Big big kudos buddy for the solution!!!</P><P>I tried all kind of tricks to get around the void list for the subsearch - related to a NOT operator, and finally got this one from you.</P><P>I find some things in the Splunk SPL pretty dumb, just to put it on the polite side!</P><P>Thanks a lot again.</P> Thu, 25 Feb 2021 17:36:29 GMT https://community.splunk.com/t5/Splunk-Search/Work-around-if-sub-search-does-not-return-data-for-a-where/m-p/541388#M153278 mhergh 2021-02-25T17:36:29Z