Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Empty result subsearch in eval/case

csocha
New Member
‎10-03-2017 10:03 AM

I am trying to eval a new field based on matching several sub searches. The issue is that these sub searches can potentially return an empty result which breaks the syntax of the eval command. Example:

index=A loglevel=error 
| eval group=case(
[search  "search string 1" | fields correlationField], "group 1",   
[search  "search string 2" | fields correlationField], "group 2"
1=1, "other")

In this example if "search string 1" is not found in the time range then an empty result is used for the condition for group 1, which causes an error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')
0 Karma
Reply

somesoni2
Revered Legend
‎10-03-2017 02:56 PM

If you're just setting group value based on which search string returns results (and not passing the actual value from subsearch), you can try like this

index=A loglevel=error 
 | eval group=case(
 [search  "search string 1" | stats count as search ]>0, "group 1",   
 [search  "search string 2" | stats count as search]>0, "group 2",
 1=1, "other")

You can also try this

index=A loglevel=error
| appendcols [search  "search string 1" | stats count by correlationField | table correlationField | rename correlationField as group1]
| appendcols [search  "search string 2" | stats count by correlationField | table correlationField | rename correlationField as group1]
| eval group=case(isnotnull(group1),"group1", isnotnull(group2),"group2", 1=1,"other")
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2017 12:25 PM

You'll need to add to your subsearch so there's always a correlationField. Maybe this will help.

index=A loglevel=error 
| eval group=case(
[search  "search string 1" | eval correlationField=if(isnull(correlationField),0,correlationField) | fields correlationField], "group 1",   
[search  "search string 2" | eval correlationField=if(isnull(correlationField),0,correlationField) | fields correlationField], "group 2"
1=1, "other")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

csocha
New Member
‎10-03-2017 02:48 PM

This has the same problem. The issue isn't results without a correlationField, it's that the subsearch might return no results at all.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...