Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you display empty results when eval did not find a result?

edwardryan
New Member
‎11-22-2018 05:00 AM

Hello,

I have built the following query

"search query" 
earliest="11/22/2018:18:55:00" latest="11/22/2018:18:59:9"
| eval platform = if(source == "S1", "Android", "IOS")
| eval server = case(host == "H1", "Server1", host == "H2", "Server2")
| eval server_platform = server.":".platform
| timechart span=5m count as COUNT by server_platform

This works perfectly when there are results, although if a result is not found, no event is returned.

I think the problem is that, if no result is returned, the eval will fail and no result is displayed.

Is there a way I can create a dummy record and then populate it with the results?

I cannot default to a value, because I do not know what it didn't find.

Any help is much appreciated, I will continue investigating.

Thank you.

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-22-2018 05:56 PM

You could use case as you were doing, but give it a default value for when nothing else matches.

Like, 

...
| eval server = case(host="H1", "Server1", host="H2", "Server2", true(), "Unknown Server")
...

The true() is always true, because it's defined that way, so that particular option will always happen if you get that far in the case statement. Hence, if it doesn't match anything else, it'll match true, and therefore the field "server" will be "Unknown Server" if it wasn't one of the others.

Give that a try and see if it helps!

Happy Splunking,
Rich

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...