https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385451#M173085 <PRE><CODE>index=app_core sourcetype=app_log apple_cluster_name=APP_TEST is_scheduled=1 eai_acl_owner=* | eval [ search index= app_core sourcetype= app_log apple_cluster_name= APP_TEST is_scheduled=1 eai_acl_owner=* | eval [ search index= app_core sourcetype= app_log is_scheduled=1 apple_cluster_name= APP_TEST eai_acl_owner=* | rex max_match=0 field=search "savedsearch\s{0,}\"{1}(?&lt;anotherSavedSearchUseInSearch&gt;(\w+){0,})" | stats count values(dataStatus) as dataStatus dc(anotherSavedSearchUseInSearch) as rexCount | eval dataStatus = if(count == 0 ,"dataDoesntExist","dataExists") | eval dataStatusAndRexStatus = dataStatus.",".rexCount | return dataStatusAndRexStatus ] | eval dataStatus = mvindex(split(dataStatusAndRexStatus,","),0) | eval rexCount = mvindex(split(dataStatusAndRexStatus,","),1) | rex max_match=0 field=search "savedsearch\s{0,}\"{1}(?&lt;anotherSavedSearchUseInSearch&gt;(\w+){0,})" | eval anotherSavedSearchUseInSearch = case(dataStatus == "dataDoesntExist","NoTitle2", rexCount == 0,"NoTitle2",rexCount &gt; 0,anotherSavedSearchUseInSearch) | stats values(anotherSavedSearchUseInSearch) as Title2 delim=" " | nomv Title2 | return Title2] </CODE></PRE> <P>From subsearch ——&gt; Title2 is returning some value.</P> <P>But mainsearch (index=app_core sourcetype=app_log apple_cluster_name=APP_TEST is_scheduled=1 eai_acl_owner=* ) —&gt; This is common , <BR /> 1. doesnt have any data in it , then it is showing error : Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression.<BR /> 2. if data exists , then it doesnt thrown any error. </P> <P>The query should also work when data doesnt exists.</P> Tue, 29 Sep 2020 23:15:31 GMT nomadichunters 2020-09-29T23:15:31Z https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385449#M173083 <P>If in case there are no results then dummy data should be added and returned from the subsearch ortherwise the actual data should be retruned to eval condition?</P> <P>i.e How to make use of makeresults statement based on conditions ?</P> <P>Kindly help</P> Tue, 12 Feb 2019 10:22:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385449#M173083 nomadichunters 2019-02-12T10:22:56Z https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385450#M173084 <P>Hi,</P> <P>Do you really need to use <CODE>makeresults</CODE> ?</P> <P>You can try something like this</P> <PRE><CODE>| makeresults | eval B_field="" | append [ makeresults | eval B_field="Test"] | eval result=if(isnull(B_field) OR B_field="","Dummy_Data",B_field) </CODE></PRE> Tue, 12 Feb 2019 13:31:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385450#M173084 harsmarvania57 2019-02-12T13:31:22Z https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385451#M173085 <PRE><CODE>index=app_core sourcetype=app_log apple_cluster_name=APP_TEST is_scheduled=1 eai_acl_owner=* | eval [ search index= app_core sourcetype= app_log apple_cluster_name= APP_TEST is_scheduled=1 eai_acl_owner=* | eval [ search index= app_core sourcetype= app_log is_scheduled=1 apple_cluster_name= APP_TEST eai_acl_owner=* | rex max_match=0 field=search "savedsearch\s{0,}\"{1}(?&lt;anotherSavedSearchUseInSearch&gt;(\w+){0,})" | stats count values(dataStatus) as dataStatus dc(anotherSavedSearchUseInSearch) as rexCount | eval dataStatus = if(count == 0 ,"dataDoesntExist","dataExists") | eval dataStatusAndRexStatus = dataStatus.",".rexCount | return dataStatusAndRexStatus ] | eval dataStatus = mvindex(split(dataStatusAndRexStatus,","),0) | eval rexCount = mvindex(split(dataStatusAndRexStatus,","),1) | rex max_match=0 field=search "savedsearch\s{0,}\"{1}(?&lt;anotherSavedSearchUseInSearch&gt;(\w+){0,})" | eval anotherSavedSearchUseInSearch = case(dataStatus == "dataDoesntExist","NoTitle2", rexCount == 0,"NoTitle2",rexCount &gt; 0,anotherSavedSearchUseInSearch) | stats values(anotherSavedSearchUseInSearch) as Title2 delim=" " | nomv Title2 | return Title2] </CODE></PRE> <P>From subsearch ——&gt; Title2 is returning some value.</P> <P>But mainsearch (index=app_core sourcetype=app_log apple_cluster_name=APP_TEST is_scheduled=1 eai_acl_owner=* ) —&gt; This is common , <BR /> 1. doesnt have any data in it , then it is showing error : Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression.<BR /> 2. if data exists , then it doesnt thrown any error. </P> <P>The query should also work when data doesnt exists.</P> Tue, 29 Sep 2020 23:15:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385451#M173085 nomadichunters 2020-09-29T23:15:31Z https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385452#M173086 <P>As stated in the other question (<A href="https://answers.splunk.com/answers/726353/subsearch-returns-empty-value-main-search-also-ret.html">https://answers.splunk.com/answers/726353/subsearch-returns-empty-value-main-search-also-ret.html</A>) you can use a <CODE>eval Title2=coalesce(Title2,"")</CODE> to ensure your subsearch returns a valid result. </P> Tue, 12 Feb 2019 13:53:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-use-of-makeresults-statement-based-on-conditions/m-p/385452#M173086 DMohn 2019-02-12T13:53:58Z