Splunk Search

Why is loadjob retruning null?

Path Finder

I have below query as query returning  null


<search id="dfLatencyOverallProcessingDelayBaseSearch">
<query>index="deng03-cis-dev-audit" | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" |spath PATH=data.labels.verbose_message output=verbose_message |
where verbose_message like "%overall_processing_delay%Dataflow Job labels%" | eval error=case(like(verbose_message,"%is above the threshold of 60.000%"), "warning", like(verbose_message,"%is above the threshold of 300.000%"), "failure") </query>
<set token="dfLatencyOverallProcessingDelay_sid">$job.sid$</set>


SomeQuery.append [ loadjob $dfLatencyOverallProcessingDelay_sid$ | eval alertName = "Dataflow-Latency-Overall processing high delay" | stats values(alertName) as AlertName values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount]

If result from dfLatencyOverallProcessingDelay_sid are null, then AlertName is also coming as blank, I want this to be  "Dataflow-Latency-Overall processing high delay"

Labels (1)
0 Karma
1 Solution


Try something like this

append [ loadjob $dfLatencyOverallProcessingDelay_sid$ | eval alertName = "Dataflow-Latency-Overall processing high delay" | stats values(alertName) as AlertName values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount | appendpipe [stats count as nullcount | where nullcount = 0 | eval alertName = "Dataflow-Latency-Overall processing high delay"]]

View solution in original post

0 Karma


Try something like this

append [ loadjob $dfLatencyOverallProcessingDelay_sid$ | eval alertName = "Dataflow-Latency-Overall processing high delay" | stats values(alertName) as AlertName values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCount | appendpipe [stats count as nullcount | where nullcount = 0 | eval alertName = "Dataflow-Latency-Overall processing high delay"]]
0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...