Splunk Search

How to edit my eval statements to assign a value for a field when join returns no rows?

Explorer
index="Index1" sourcetype="response" | eval running_ok = if(response_status="Running","0","1") |head 1
|join running_ok
[search index="Index1" sourcetype="monitor" | eval running_ok = if(monitor_status="Running","0","1")|head 1] 
|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok==" " OR running_ok==1,1,0) |table final | outputlookup output.csv 

I am using join on two sourcetypes for the field "running_ok".

The following table is derived based on how the inner join functions.
Main search "runningok" result), (Sub search "runningok" result)= 0 or 1 or Blank (Join Search returned no values.)

0,0=0 (Running)
1,0= blank (Not Running)
0,1= blank (Not Running)
1,1=1 (Not Running)

From these below, I am able to assign required value for "final" when running_ok=0 or 1, but I could not assign value for "final" when "Join search returns no values."
Please let me know the way when join search returns no rows.

|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok=="Join search returns no values." OR running_ok==1,1,0) 

The following two did not help either.

| eval final=if(match(running_ok, "No results") OR running_ok=1, 1, 0) |
| eval final = if(isnull(running_ok) OR running_ok==1,1,0)
0 Karma

Super Champion

try this:

index="Index1" sourcetype="response" OR sourcetype="monitor"| eval running_ok = if(response_status="Running" OR monitor_status="Running","0","1") |head 1
 |fillnull running_ok value=1
 |eval final = if(running_ok==1,1,0) |table final | outputlookup output.csv

Explorer

Thank you. I am going to try it and update.
What does the following mean?

|fillnull running_ok value=1
0 Karma

Super Champion

you had two final eval statements, which I didn't understand the need for, and in one eval statement, you had running_ok=" " and the fillnull statement would just fill all null values with the value 1, so you wouldn't need that in the eval.

0 Karma

Explorer

In the eval statement running_ok=" " i am looking for query which did not return any rows(No results found. ).
I am sure it is not the right way to check it. I am looking for the right way to check "No results found. "
Because the join does not return any rows when no match happens. I am trying to catch those kind of entries,which will have "No results found".

0 Karma