Solved: Eval subsearch give error when result not found

salt87 · ‎08-07-2019

Hi,

my search is the following

| inputlookup genesis.csv

| eval _time=now()
| eval field1=[ | inputlookup lookup.csv
| search Field1=value
| stats count by Field1| return $count]

| outputlookup blabla.csv

This works when the subsearch returns a value, however it gives me an error when the subsearch return "No Result Found"

Is there something I can do to replace the error by the value "0"

thanks

MuS · ‎08-07-2019

Hi salt87,

give this a try:

| eval field1=[ | inputlookup lookup.csv
| search Field1=value
| stats count by Field1
| appendpipe 
    [| stats count 
    | where count=0]| return $count]

all this does is it will return something even you have no match. In the case of no match it will have count = 0 as result.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎08-07-2019

Hi salt87,

give this a try:

| eval field1=[ | inputlookup lookup.csv
| search Field1=value
| stats count by Field1
| appendpipe 
    [| stats count 
    | where count=0]| return $count]

all this does is it will return something even you have no match. In the case of no match it will have count = 0 as result.

Hope this helps ...

cheers, MuS

salt87 · ‎08-07-2019

You're a legend mate.

Eval subsearch give error when result not found

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Are you a member of the Splunk Community?

Eval subsearch give error when result not found

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes