Hello,
Here's my search string:
index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running")
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process
My question is, what if Process=process1
and Process=process2
returns no result?
I want them to display the "Not Running"
status, even if there's no result on the Process field.
Searched some answers, but it's not exactly what I am looking for as the dummy field on the answers depends on the | stats count
, or maybe I just cannot figure it out.
Can you please guide me in figuring this out?
Thank you kindly.
Give this a try
| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running"
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running")
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1)
Give this a try
| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running"
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running")
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1)
It's returning a "Not Running" status and a blank Runtime.
In all cases OR when your base search doesn't have records? Try removing the last stats and check if there are results.
EDIT:
I removed the last stats and the result is Not Running
In all cases OR when your base search doesn't have records?
-didn't get the all cases but yes, even if my base search doesn't have records, they should retain on the table.
last stats? you mean the base search? Process=process2? tried removing one of it and it didn't disappear on the table. 😄
No. If your base search has records for both process1 and process2 (you need to update the first portion to put exact process name that you're using in your query), following search should return you 4 rows. If your base search has only one records, total records from below will be 2 and if your base search has no records, you'll still get 2 records with status Not Running (default value chosed in first search.
| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running"
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running")
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
I'm getting the default value (Not Running) even though my base search (process1 and process2) have records. Am I missing something here?
apologies for accepting this answer late. this worked for me. thank you.
could you please provide some sample data?
hello PPape, the data that I am using comes from the scripts on the Splunk App (Splunk Add-on for Unix and Linux).
EDITED -- try this one:
index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval process1=if(searchmatch("process1"),1,0)
| eval process2=if(searchmatch("process2"),1,0)
| eventstats count as myCount sum(process1) AS process1 sum(process2) as process2 by Process
| eval process1=if(myCount=="0",0,process1)
| eval process2=if(myCount=="0",0,process2)
| eval status=if((process1>0 OR process2>0) AND Runtime!="00:00:00","Running","Not Running")
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process
try this:
index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running")
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process
| appendpipe [ stats count | eval "Status"="Not Running" | where count==0 |table "Status"]
tried removing the Process=process1 at the base search and it didn't appear as "Not Running" on the Status, it disappeared 😞
Hello cmmerriman and thank you for your input.
What if Process=process1 has result and Process=process2 has no result? Will process2 appear on the table?
if Process=process1, process2 is null and RunTime!="00:00:00", you should see something like Status = Running, Runtime=xxxx and Process=process1. if there is no data for one of the processes, it shouldn't appear on the table.
sorry if I'm kind of confused.
What I wanted to do is for them to appear on the table even if there's no data.
The idea is like on this questions:
https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html
Yes, it would