Splunk Search

How to get my eval statement to output a certain value, even if there is no result for a certain field?

Builder

Hello,

Here's my search string:

index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval status=if(Runtime!="00:00:00","Running","Not Running") 
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process

My question is, what if Process=process1 and Process=process2 returns no result?
I want them to display the "Not Running" status, even if there's no result on the Process field.
Searched some answers, but it's not exactly what I am looking for as the dummy field on the answers depends on the | stats count, or maybe I just cannot figure it out.

Can you please guide me in figuring this out?

Thank you kindly.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1) 

View solution in original post

SplunkTrust
SplunkTrust

Give this a try

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
| makemv Process delim="##" | mvexpand Process
| append [ search index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
| stats list(Status) as Status list(Runtime) as Runtime by Process
| eval Status=mvindex(Status,-1) 

View solution in original post

Builder

It's returning a "Not Running" status and a blank Runtime.

0 Karma

SplunkTrust
SplunkTrust

In all cases OR when your base search doesn't have records? Try removing the last stats and check if there are results.

0 Karma

Builder

EDIT:
I removed the last stats and the result is Not Running

In all cases OR when your base search doesn't have records?
-didn't get the all cases but yes, even if my base search doesn't have records, they should retain on the table.

last stats? you mean the base search? Process=process2? tried removing one of it and it didn't disappear on the table. 😄

0 Karma

SplunkTrust
SplunkTrust

No. If your base search has records for both process1 and process2 (you need to update the first portion to put exact process name that you're using in your query), following search should return you 4 rows. If your base search has only one records, total records from below will be 2 and if your base search has no records, you'll still get 2 records with status Not Running (default value chosed in first search.

| gentimes start=-1 | eval Process="process1##process2" | table Process | eval Status="Not Running" 
 | makemv Process delim="##" | mvexpand Process
 | append [ search index=myindex host=server1 source=mysource
  | multikv
  | search Process=process1 OR Process=process2
  | eval status=if(Runtime!="00:00:00","Running","Not Running") 
  | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process]
0 Karma

Builder

I'm getting the default value (Not Running) even though my base search (process1 and process2) have records. Am I missing something here?

0 Karma

Builder

apologies for accepting this answer late. this worked for me. thank you.

0 Karma

Contributor

could you please provide some sample data?

0 Karma

Builder

hello PPape, the data that I am using comes from the scripts on the Splunk App (Splunk Add-on for Unix and Linux).

0 Karma

Super Champion

EDITED -- try this one:

  index=myindex host=server1 source=mysource
| multikv
| search Process=process1 OR Process=process2
| eval process1=if(searchmatch("process1"),1,0) 
| eval process2=if(searchmatch("process2"),1,0) 
| eventstats count as myCount sum(process1) AS process1 sum(process2) as process2 by Process 
| eval process1=if(myCount=="0",0,process1) 
| eval process2=if(myCount=="0",0,process2) 
| eval status=if((process1>0 OR process2>0) AND Runtime!="00:00:00","Running","Not Running") 
| stats latest(status) AS Status, latest(Runtime) AS Runtime by Process

try this:

 index=myindex host=server1 source=mysource
 | multikv
 | search Process=process1 OR Process=process2
 | eval status=if(Runtime!="00:00:00","Running","Not Running") 
 | stats latest(status) AS Status, latest(Runtime) AS Runtime by Process
| appendpipe [ stats count | eval "Status"="Not Running"  | where count==0 |table "Status"]

Builder

tried removing the Process=process1 at the base search and it didn't appear as "Not Running" on the Status, it disappeared 😞

0 Karma

Builder

Hello cmmerriman and thank you for your input.

What if Process=process1 has result and Process=process2 has no result? Will process2 appear on the table?

0 Karma

Super Champion

if Process=process1, process2 is null and RunTime!="00:00:00", you should see something like Status = Running, Runtime=xxxx and Process=process1. if there is no data for one of the processes, it shouldn't appear on the table.

0 Karma

Builder

sorry if I'm kind of confused.

What I wanted to do is for them to appear on the table even if there's no data.

The idea is like on this questions:

https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html
https://answers.splunk.com/answers/50379/table-message-when-no-results-found.html

0 Karma

Champion

Yes, it would

0 Karma