Splunk Search
Highlighted

How to handle "no results found" in subsearch

Engager

Hi all,

I have a subsearch that returns me the delta between two events. The problem is, sometimes the two events I´m looking for don´t exist. This results in the following Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'.

The subsearch looks like this:

| eval DisruptionInSeconds = [ my subsearch that returns the delta between two events 
| sort - _time 
| stats sum(timeDeltaS) as search | eval search ="\"".search."\"" ]

If these two events don´t exist, the search should return 0 (not NULL). How do I do that?

Thanks in advance for your help.

0 Karma
Highlighted

Re: How to handle "no results found" in subsearch

SplunkTrust
SplunkTrust

Use appendpipe.

| eval DisruptionInSeconds = [ my subsearch that returns the delta between two events 
| sort - _time 
| stats sum(timeDeltaS) as search | eval search ="\"".search."\"" 
| appendpipe [ stats count | eval search="0" | where count==0 | fields - count ] ]
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to handle "no results found" in subsearch

Engager

That works. Thanks!

0 Karma