Splunk Search

Subsearch returns empty value, main search also returns no results , so the returned value from subsearch is not creating eval error

Explorer
index=app_core sourcetype=app_log cluster_name=app1_cluster is_scheduled=1 
| eval 
    [ search index=app_core sourcetype=app_log cluster_name=app1_cluster is_scheduled=1  
    | eval 
        [ search index=app_core sourcetype=app_log cluster_name=app1_cluster is_scheduled=1 
        | rex max_match=0 field=search "savedsearch\s{0,}\"{1}(?<anotherSavedSearchUseInSearch>(\w+){0,})" 
        | stats count values(dataStatus) as dataStatus dc(anotherSavedSearchUseInSearch) as rexCount 
        | eval dataStatus = if(count == 0 ,"dataDoesntExist","dataExists") 
        | eval dataStatusAndRexStatus = dataStatus.",".rexCount 
        | return dataStatusAndRexStatus ] 
    | eval dataStatus = mvindex(split(dataStatusAndRexStatus,","),0) 
    | eval rexCount = mvindex(split(dataStatusAndRexStatus,","),1) 
    | rex max_match=0 field=search "savedsearch\s{0,}\"{1}(?<anotherSavedSearchUseInSearch>(\w+){0,})" 
    | eval anotherSavedSearchUseInSearch = case(dataStatus == "dataDoesntExist","NoTitle2", rexCount == 0,"NoTitle2",rexCount > 0,anotherSavedSearchUseInSearch) 
    | stats values(anotherSavedSearchUseInSearch) as Title2 delim=" " 
    | nomv Title2 
    | return Title2]

If Title2 returns a value , then it doesnt throw any error. If Title2 is empty then it throws "Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression."

Kindly help.

Tags (1)
0 Karma

Motivator

Try adding a | eval Title2=coalesce(Title2,"") as the second last line (before return). This will ensure your eval gets a valid return value. You could even add a "n/a" or somethind else as return value if needed.

0 Karma

Explorer

From subsearch ——> Title2 is returning some value.

But mainsearch (index=appcore sourcetype=applog appleclustername=APPTEST isscheduled=1 eaiaclowner=* ) —> This is common ,
1. doesnt have any data in it , then it is showing error : Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression.
2. if data exists , then it doesnt thrown any error.

The query should also work when data doesnt exists.

0 Karma

Explorer

Kindly help us on priority

0 Karma

Motivator

I don't want to be disrespectful - but you cannot expect "priority help" in a community-driven support plattform. If you need this to be investigated and solved with priority - open a support case with Splunk, get Splunk Professional Service to assist you, and pay for it. Nearly everyone here is doing this on their free time, without any payment or whatsoever. Please keep this in mind!

0 Karma

Explorer

Ok. I apologize for it.

0 Karma

Motivator

If there is no result in your subsearch, you will get no return value, hence the search will finish like _eval _ with no value. This is a syntax error.

So add the stated command between nomv and return and Title2 will always be set - either with the search result, or with an empty value. Your main search will not fail anymore.

Do you need some more functionality?

0 Karma

Explorer

My functionality here is to again use the entire search as a subsearch and return another value , but the main search would always be same. If data exists for main search i dont get any eval statement error , ortherwise i see this issue

0 Karma

Explorer

Still am getting the same error. Attached screenshot for refernece.

0 Karma

Explorer

Am unable to attach the screenshot , the issue here is subsearch would return results, even if it is empty i would add some dummy data as NoTitle2 and return it.

It is working fine if the main search (index=appcore sourcetype=applog appleclustername=APPTEST isscheduled=1 eaiaclowner=* ) has atleast single event. ortherwise it throws eval error

0 Karma

Motivator

Okay, so I was getting you wrong - I was assuming the Title2 was the issue here.

You may be able to use makeresults here ...

index=appcore sourcetype=applog appleclustername=APPTEST isscheduled=1 eaiaclowner=* | append [|makeresults]

This will ensure you don't have an empty result set to work with.

0 Karma

Explorer

index=appcore sourcetype=applog appleclustername=APPTEST isscheduled=1
| eval
[ search index=appcore sourcetype=applog appleclustername=APPTEST isscheduled=1
| eval
[ search index=appcore sourcetype=applog appleclustername=APPTEST isscheduled=1
| rex maxmatch=0 field=search "savedsearch\s{0,}\"{1}(?(\w+){0,})"
| stats count values(dataStatus) as dataStatus dc(anotherSavedSearchUseInSearch) as rexCount
| eval dataStatus = if(count == 0 ,"dataDoesntExist","dataExists")
| eval dataStatusAndRexStatus = dataStatus.",".rexCount
| return dataStatusAndRexStatus ]
| eval dataStatus = mvindex(split(dataStatusAndRexStatus,","),0)
| eval rexCount = mvindex(split(dataStatusAndRexStatus,","),1)
| rex max
match=0 field=search "savedsearch\s{0,}\"{1}(?(\w+){0,})"
| eval anotherSavedSearchUseInSearch = case(dataStatus == "dataDoesntExist","NoTitle2", rexCount == 0,"NoTitle2",rexCount > 0,anotherSavedSearchUseInSearch)
| stats values(anotherSavedSearchUseInSearch) as Title2 delim=" "
| nomv Title2
| return Title2]

3 cases
1. Main search data exists , Title2 will return the correctvalue, Title2 will be lisited in Selected Fields, so that it can be used further.
2. Main search data exists , Title 2 will return a dummy value (NoTitle2) , still Title2 will be listed in Selected Fields , so that it can be used further
3. Main search doesnt has any data , in this case if i use append and makeresults options as suggested, event is being created. But the same query is not working in first 2 cases , key value pair is not being created.

0 Karma

Explorer

It gives an error : Unknown search command 'coalesce'.

0 Karma

Motivator

I am sorry, I made a mistake in the eval command, corrected it above. Please see if this works for you!

0 Karma