Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you display empty results when eval did not find a result?

edwardryan
New Member
‎11-22-2018 05:00 AM

Hello,

I have built the following query

"search query" 
earliest="11/22/2018:18:55:00" latest="11/22/2018:18:59:9"
| eval platform = if(source == "S1", "Android", "IOS")
| eval server = case(host == "H1", "Server1", host == "H2", "Server2")
| eval server_platform = server.":".platform
| timechart span=5m count as COUNT by server_platform

This works perfectly when there are results, although if a result is not found, no event is returned.

I think the problem is that, if no result is returned, the eval will fail and no result is displayed.

Is there a way I can create a dummy record and then populate it with the results?

I cannot default to a value, because I do not know what it didn't find.

Any help is much appreciated, I will continue investigating.

Thank you.

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-22-2018 05:56 PM

You could use case as you were doing, but give it a default value for when nothing else matches.

Like, 

...
| eval server = case(host="H1", "Server1", host="H2", "Server2", true(), "Unknown Server")
...

The true() is always true, because it's defined that way, so that particular option will always happen if you get that far in the case statement. Hence, if it doesn't match anything else, it'll match true, and therefore the field "server" will be "Unknown Server" if it wasn't one of the others.

Give that a try and see if it helps!

Happy Splunking,
Rich

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...