- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my eval statements to assign a val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my eval statements to assign a value for a field when join returns no rows?
index="Index1" sourcetype="response" | eval running_ok = if(response_status="Running","0","1") |head 1
|join running_ok
[search index="Index1" sourcetype="monitor" | eval running_ok = if(monitor_status="Running","0","1")|head 1]
|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok==" " OR running_ok==1,1,0) |table final | outputlookup output.csv
I am using join on two sourcetypes for the field "running_ok".
The following table is derived based on how the inner join functions.
Main search "running_ok" result), (Sub search "running_ok" result)= 0 or 1 or Blank (Join Search returned no values.)
0,0=0 (Running)
1,0= blank (Not Running)
0,1= blank (Not Running)
1,1=1 (Not Running)
From these below, I am able to assign required value for "final" when running_ok=0 or 1, but I could not assign value for "final" when "Join search returns no values."
Please let me know the way when join search returns no rows.
|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok=="Join search returns no values." OR running_ok==1,1,0)
The following two did not help either.
| eval final=if(match(running_ok, "No results") OR running_ok=1, 1, 0) |
| eval final = if(isnull(running_ok) OR running_ok==1,1,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
index="Index1" sourcetype="response" OR sourcetype="monitor"| eval running_ok = if(response_status="Running" OR monitor_status="Running","0","1") |head 1
|fillnull running_ok value=1
|eval final = if(running_ok==1,1,0) |table final | outputlookup output.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I am going to try it and update.
What does the following mean?
|fillnull running_ok value=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you had two final eval statements, which I didn't understand the need for, and in one eval statement, you had running_ok=" " and the fillnull statement would just fill all null values with the value 1, so you wouldn't need that in the eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the eval statement running_ok=" " i am looking for query which did not return any rows(No results found. ).
I am sure it is not the right way to check it. I am looking for the right way to check "No results found. "
Because the join does not return any rows when no match happens. I am trying to catch those kind of entries,which will have "No results found".
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
