https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578085#M201471 <P>You are already using if() function. &nbsp;What is the difference between your pseudo code</P><BLOCKQUOTE>| eval where FIELD=="value" else</BLOCKQUOTE><P>and</P><LI-CODE lang="markup">index=sample_idex sourcetype="smf001" | fields _time, FIELD | lookup sample_lookup.csv system as FIELD output sample_env | eval e=if(in(sample_env, "env"), 1, 0) | where e=1 | eval FIELD = if(FIELD == "value", FIELD, "display something else") | table FIELD</LI-CODE> Fri, 10 Dec 2021 21:28:42 GMT yuanliu 2021-12-10T21:28:42Z https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578056#M201458 <P>Hi, hoping to get some more insight on my current problem. My problem is the following&nbsp;<BR /><BR />I am using a where clause to capture data for a specific field value. If the specific value does not exist for the current time period I get the following message as a result '<SPAN>No results found. Try expanding the time range.' Instead of the no results message showing up I would like to display something else. The following is an example.<BR /><BR /></SPAN></P><P>index=sample_idex sourcetype="smf001"<BR />| fields _time,&nbsp; FIELD<BR />| lookup sample_lookup.csv system as FIELD output sample_env<BR />| eval e=if(in(sample_env, "env"), 1, 0)<BR />| where e=1<BR />| where FIELD=="value"<BR />| table FIELD<BR /><BR />I was thinking of doing something like the following with proper syntax:<BR />| eval where FIELD=="value" else&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Fri, 10 Dec 2021 19:20:47 GMT https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578056#M201458 splunk3341 2021-12-10T19:20:47Z https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578078#M201467 <P>There is no "else" option to the <FONT face="courier new,courier">where</FONT> command.&nbsp; The trick to solving this problem is to have a query that produces a result even if no events are found.&nbsp; That's where the <FONT face="courier new,courier">appendpipe</FONT> command comes in handy.</P><LI-CODE lang="markup">index=sample_idex sourcetype="smf001" | fields _time, FIELD | lookup sample_lookup.csv system as FIELD output sample_env | eval e=if(in(sample_env, "env"), 1, 0) | where e=1 | where FIELD=="value" | appendpipe [ stats count | eval FIELD="something else" | where count=0 | fields - count ] | table FIELD</LI-CODE><P>&nbsp;</P> Fri, 10 Dec 2021 20:47:10 GMT https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578078#M201467 richgalloway 2021-12-10T20:47:10Z https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578085#M201471 <P>You are already using if() function. &nbsp;What is the difference between your pseudo code</P><BLOCKQUOTE>| eval where FIELD=="value" else</BLOCKQUOTE><P>and</P><LI-CODE lang="markup">index=sample_idex sourcetype="smf001" | fields _time, FIELD | lookup sample_lookup.csv system as FIELD output sample_env | eval e=if(in(sample_env, "env"), 1, 0) | where e=1 | eval FIELD = if(FIELD == "value", FIELD, "display something else") | table FIELD</LI-CODE> Fri, 10 Dec 2021 21:28:42 GMT https://community.splunk.com/t5/Splunk-Search/If-specified-field-value-does-not-exist-in-the-current-time/m-p/578085#M201471 yuanliu 2021-12-10T21:28:42Z