Solved: Eval subsearch give error when result not found

salt87 · ‎08-07-2019

Hi,

my search is the following

| inputlookup genesis.csv

| eval _time=now()
| eval field1=[ | inputlookup lookup.csv
| search Field1=value
| stats count by Field1| return $count]

| outputlookup blabla.csv

This works when the subsearch returns a value, however it gives me an error when the subsearch return "No Result Found"

Is there something I can do to replace the error by the value "0"

thanks

MuS · ‎08-07-2019

Hi salt87,

give this a try:

| eval field1=[ | inputlookup lookup.csv
| search Field1=value
| stats count by Field1
| appendpipe 
    [| stats count 
    | where count=0]| return $count]

all this does is it will return something even you have no match. In the case of no match it will have count = 0 as result.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎08-07-2019

Hi salt87,

give this a try:

| eval field1=[ | inputlookup lookup.csv
| search Field1=value
| stats count by Field1
| appendpipe 
    [| stats count 
    | where count=0]| return $count]

all this does is it will return something even you have no match. In the case of no match it will have count = 0 as result.

Hope this helps ...

cheers, MuS

salt87 · ‎08-07-2019

You're a legend mate.

Eval subsearch give error when result not found

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation