https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708276#M239529 <P>Use the <FONT face="courier new,courier">appendpipe</FONT> command to add synthetic results when the subsearch finds nothing.</P><LI-CODE lang="markup">| where [ | loadjob $stoermeldungen_sid$ | where stoerCode IN ("S00") | addinfo | where importZeit_unixF &amp;gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &amp;lt;= relative_time(info_max_time,"@d") | stats count as dayCount by zbpIdentifier | sort -dayCount | head 10 | appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count] | table zbpIdentifier ]</LI-CODE><P>&nbsp;</P> Wed, 08 Jan 2025 17:26:07 GMT richgalloway 2025-01-08T17:26:07Z https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708275#M239528 <P>Dear experts</P><P>Based on the following search:&nbsp;</P><LI-CODE lang="markup"> &lt;search id="subsearch_results"&gt; &lt;query&gt; search index="iii" search_name="nnn" Umgebung="uuu" isbName="isb" status IN ("ALREADY*", "NO_NOTIF*", "UNCONF*", "NOTIF*") zbpIdentifier NOT 453-8888 stoerCodeGruppe NOT ("GUT*") | eval importZeit_unixF = strptime(importZeit, "%Y-%m-%dT%H:%M:%S.%N%Z") | eval importZeit_humanF = strftime(importZeit_unixF, "%Y-%m-%d %H:%M:%S") | table importZeit_humanF importZeit_unixF zbpIdentifier status stoerCode stoerCodeGruppe &lt;/query&gt; &lt;earliest&gt;$t_time.earliest$&lt;/earliest&gt; &lt;latest&gt;$t_time.latest$@d&lt;/latest&gt; &lt;done&gt; &lt;condition&gt; &lt;set token="stoermeldungen_sid"&gt;$job.sid$&lt;/set&gt; &lt;/condition&gt; &lt;/done&gt; &lt;/search&gt;</LI-CODE><P>I try to load some data with:&nbsp;</P><LI-CODE lang="markup">&lt;query&gt; | loadjob $stoermeldungen_sid$ | where stoerCode IN ("S00") | where [ | loadjob $stoermeldungen_sid$ | where stoerCode IN ("S00") | addinfo | where importZeit_unixF &amp;gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &amp;lt;= relative_time(info_max_time,"@d") | stats count as dayCount by zbpIdentifier | sort -dayCount | head 10 | table zbpIdentifier ] | addinfo | where ....</LI-CODE><P>Basic idea:&nbsp;</P><UL><LI>the subsearch first derives the top 10 of the elements based on the number of yesterdays error messages.</LI><LI>&nbsp;based on the subsearch result then the 7 day history is read and displayed (not fully shown in the example above)</LI></UL><P>All works fine except if there are no messages found by the subsearch. If yesterday no error messages of the given type were recorded, the subsearch returns a result which causes the following error message in the dashboard:</P><LI-CODE lang="markup">Error in ´where´command: The expression is malformed. An unexpected character is reached at ´)´.</LI-CODE><P>&nbsp;The where command is the one which should take the result of the subsearch (3rd line of code).&nbsp;</P><P>The error message is just not nice for the end user, better would be to get just an empty chart if no data is found.&nbsp;</P><P>The question is: How to fix the result of the subsearch in a way, that also the main search runs and gets the proper empty result, and therefore the empty graph instead of the "not nice" error message?</P><P>Thank you for your help.</P> Wed, 08 Jan 2025 17:17:46 GMT https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708275#M239528 Ste 2025-01-08T17:17:46Z https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708276#M239529 <P>Use the <FONT face="courier new,courier">appendpipe</FONT> command to add synthetic results when the subsearch finds nothing.</P><LI-CODE lang="markup">| where [ | loadjob $stoermeldungen_sid$ | where stoerCode IN ("S00") | addinfo | where importZeit_unixF &amp;gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &amp;lt;= relative_time(info_max_time,"@d") | stats count as dayCount by zbpIdentifier | sort -dayCount | head 10 | appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count] | table zbpIdentifier ]</LI-CODE><P>&nbsp;</P> Wed, 08 Jan 2025 17:26:07 GMT https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708276#M239529 richgalloway 2025-01-08T17:26:07Z https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708316#M239542 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;The perfect solution, exactly what I was looking for.<BR />Thank you</P> Thu, 09 Jan 2025 05:25:12 GMT https://community.splunk.com/t5/Splunk-Search/where-with-empty-subsearch-result-raises-an-error-message/m-p/708316#M239542 Ste 2025-01-09T05:25:12Z