topic Re: How to get my eval statement to output a certain value, even if there is no result for a certain field? in Splunk Search

How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 14:18:08 GMT

Hello,

Here's my search string:

index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running") 
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process

My question is, what if Process=process1 and Process=process2 returns no result?
I want them to display the "Not Running" status, even if there's no result on the Process field.
Searched some answers, but it's not exactly what I am looking for as the dummy field on the answers depends on the | stats count, or maybe I just cannot figure it out.

Can you please guide me in figuring this out?

Thank you kindly.

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

cmerriman — Tue, 20 Dec 2016 14:24:43 GMT

EDITED -- try this one:

  index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval process1=if(searchmatch("process1"),1,0) 
| eval process2=if(searchmatch("process2"),1,0) 
| eventstats count as myCount sum(process1) AS process1 sum(process2) as process2 by Process 
| eval process1=if(myCount=="0",0,process1) 
| eval process2=if(myCount=="0",0,process2) 
| eval status=if((process1>0 OR process2>0) AND Runtime!="00:00:00","Running","Not Running") 
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process

try this:

 index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process
| appendpipe [ stats count | eval "Status"="Not Running"  | where count==0 |table "Status"]

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

PPape — Tue, 20 Dec 2016 14:27:00 GMT

could you please provide some sample data?

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 14:36:32 GMT

hello PPape, the data that I am using comes from the scripts on the Splunk App (Splunk Add-on for Unix and Linux).

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 14:40:14 GMT

Hello cmmerriman and thank you for your input.

What if Process=process1 has result and Process=process2 has no result? Will process2 appear on the table?

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

rjthibod — Tue, 20 Dec 2016 14:43:14 GMT

Yes, it would

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

cmerriman — Tue, 20 Dec 2016 14:45:06 GMT

if Process=process1, process2 is null and RunTime!="00:00:00", you should see something like Status = Running, Runtime=xxxx and Process=process1. if there is no data for one of the processes, it shouldn't appear on the table.

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 15:09:42 GMT

sorry if I'm kind of confused.

What I wanted to do is for them to appear on the table even if there's no data.

The idea is like on this questions:

https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 16:30:01 GMT

tried removing the Process=process1 at the base search and it didn't appear as "Not Running" on the Status, it disappeared 😞

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

somesoni2 — Tue, 20 Dec 2016 16:36:08 GMT

Give this a try

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1)

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 16:50:58 GMT

It's returning a "Not Running" status and a blank Runtime.

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

somesoni2 — Tue, 20 Dec 2016 17:01:31 GMT

In all cases OR when your base search doesn't have records? Try removing the last stats and check if there are results.

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 17:10:34 GMT

EDIT:
I removed the last stats and the result is Not Running

In all cases OR when your base search doesn't have records?
-didn't get the all cases but yes, even if my base search doesn't have records, they should retain on the table.

last stats? you mean the base search? Process=process2? tried removing one of it and it didn't disappear on the table. 😄

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

somesoni2 — Tue, 20 Dec 2016 17:14:56 GMT

No. If your base search has records for both process1 and process2 (you need to update the first portion to put exact process name that you're using in your query), following search should return you 4 rows. If your base search has only one records, total records from below will be 2 and if your base search has no records, you'll still get 2 records with status Not Running (default value chosed in first search.

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
 | makemv Process delim="##" | mvexpand Process
 | append [ search index=myindex host=server1 source=mysource
  | multikv
  | search Process=process1 OR Process=process2
  | eval status=if(Runtime!="00:00:00","Running","Not Running") 
  | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Tue, 20 Dec 2016 17:31:51 GMT

I'm getting the default value (Not Running) even though my base search (process1 and process2) have records. Am I missing something here?

Re: How to get my eval statement to output a certain value, even if there is no result for a certain field?

lloydknight — Fri, 17 Feb 2017 21:07:49 GMT

apologies for accepting this answer late. this worked for me. thank you.