How do you display empty results when eval did not...

edwardryan · ‎11-22-2018

Hello,

I have built the following query

"search query" 
earliest="11/22/2018:18:55:00" latest="11/22/2018:18:59:9"
| eval platform = if(source == "S1", "Android", "IOS")
| eval server = case(host == "H1", "Server1", host == "H2", "Server2")
| eval server_platform = server.":".platform
| timechart span=5m count as COUNT by server_platform

This works perfectly when there are results, although if a result is not found, no event is returned.

I think the problem is that, if no result is returned, the eval will fail and no result is displayed.

Is there a way I can create a dummy record and then populate it with the results?

I cannot default to a value, because I do not know what it didn't find.

Any help is much appreciated, I will continue investigating.

Thank you.

Richfez · ‎11-22-2018

You could use case as you were doing, but give it a default value for when nothing else matches.

Like,

...
| eval server = case(host="H1", "Server1", host="H2", "Server2", true(), "Unknown Server")
...

The true() is always true, because it's defined that way, so that particular option will always happen if you get that far in the case statement. Hence, if it doesn't match anything else, it'll match true, and therefore the field "server" will be "Unknown Server" if it wasn't one of the others.

Give that a try and see if it helps!

Happy Splunking,
Rich

How do you display empty results when eval did not find a result?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes