Solved: How to get my eval statement to output a certain v...

lloydknight · ‎12-20-2016

Hello,

Here's my search string:

index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running") 
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process

My question is, what if Process=process1 and Process=process2 returns no result?
I want them to display the "Not Running" status, even if there's no result on the Process field.
Searched some answers, but it's not exactly what I am looking for as the dummy field on the answers depends on the | stats count, or maybe I just cannot figure it out.

Can you please guide me in figuring this out?

Thank you kindly.

somesoni2 · ‎12-20-2016

Give this a try

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1)

View solution in original post

somesoni2 · ‎12-20-2016

Give this a try

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1)

lloydknight · ‎12-20-2016

It's returning a "Not Running" status and a blank Runtime.

somesoni2 · ‎12-20-2016

In all cases OR when your base search doesn't have records? Try removing the last stats and check if there are results.

lloydknight · ‎12-20-2016

EDIT:
I removed the last stats and the result is Not Running

In all cases OR when your base search doesn't have records?
-didn't get the all cases but yes, even if my base search doesn't have records, they should retain on the table.

last stats? you mean the base search? Process=process2? tried removing one of it and it didn't disappear on the table. 😄

somesoni2 · ‎12-20-2016

No. If your base search has records for both process1 and process2 (you need to update the first portion to put exact process name that you're using in your query), following search should return you 4 rows. If your base search has only one records, total records from below will be 2 and if your base search has no records, you'll still get 2 records with status Not Running (default value chosed in first search.

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
 | makemv Process delim="##" | mvexpand Process
 | append [ search index=myindex host=server1 source=mysource
  | multikv
  | search Process=process1 OR Process=process2
  | eval status=if(Runtime!="00:00:00","Running","Not Running") 
  | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]

lloydknight · ‎12-20-2016

I'm getting the default value (Not Running) even though my base search (process1 and process2) have records. Am I missing something here?

lloydknight · ‎02-17-2017

apologies for accepting this answer late. this worked for me. thank you.

PPape · ‎12-20-2016

could you please provide some sample data?

lloydknight · ‎12-20-2016

hello PPape, the data that I am using comes from the scripts on the Splunk App (Splunk Add-on for Unix and Linux).

cmerriman · ‎12-20-2016

EDITED -- try this one:

  index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval process1=if(searchmatch("process1"),1,0) 
| eval process2=if(searchmatch("process2"),1,0) 
| eventstats count as myCount sum(process1) AS process1 sum(process2) as process2 by Process 
| eval process1=if(myCount=="0",0,process1) 
| eval process2=if(myCount=="0",0,process2) 
| eval status=if((process1>0 OR process2>0) AND Runtime!="00:00:00","Running","Not Running") 
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process

try this:

 index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process
| appendpipe [ stats count | eval "Status"="Not Running"  | where count==0 |table "Status"]

lloydknight · ‎12-20-2016

tried removing the Process=process1 at the base search and it didn't appear as "Not Running" on the Status, it disappeared 😞

lloydknight · ‎12-20-2016

Hello cmmerriman and thank you for your input.

What if Process=process1 has result and Process=process2 has no result? Will process2 appear on the table?

cmerriman · ‎12-20-2016

if Process=process1, process2 is null and RunTime!="00:00:00", you should see something like Status = Running, Runtime=xxxx and Process=process1. if there is no data for one of the processes, it shouldn't appear on the table.

lloydknight · ‎12-20-2016

sorry if I'm kind of confused.

What I wanted to do is for them to appear on the table even if there's no data.

The idea is like on this questions:

https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html

rjthibod · ‎12-20-2016

Yes, it would

How to get my eval statement to output a certain value, even if there is no result for a certain field?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies