- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear experts
Based on the following search:
<search id="subsearch_results">
<query>
search index="iii" search_name="nnn" Umgebung="uuu"
isbName="isb"
status IN ("ALREADY*", "NO_NOTIF*", "UNCONF*", "NOTIF*")
zbpIdentifier NOT 453-8888
stoerCodeGruppe NOT ("GUT*")
| eval importZeit_unixF = strptime(importZeit, "%Y-%m-%dT%H:%M:%S.%N%Z")
| eval importZeit_humanF = strftime(importZeit_unixF, "%Y-%m-%d %H:%M:%S")
| table importZeit_humanF importZeit_unixF zbpIdentifier status stoerCode stoerCodeGruppe
</query>
<earliest>$t_time.earliest$</earliest>
<latest>$t_time.latest$@d</latest>
<done>
<condition>
<set token="stoermeldungen_sid">$job.sid$</set>
</condition>
</done>
</search>
I try to load some data with:
<query>
| loadjob $stoermeldungen_sid$
| where stoerCode IN ("S00")
| where [
| loadjob $stoermeldungen_sid$
| where stoerCode IN ("S00")
| addinfo
| where importZeit_unixF >= relative_time(info_max_time,"-d@d") AND importZeit_unixF <= relative_time(info_max_time,"@d")
| stats count as dayCount by zbpIdentifier
| sort -dayCount
| head 10
| table zbpIdentifier ]
| addinfo
| where ....
Basic idea:
- the subsearch first derives the top 10 of the elements based on the number of yesterdays error messages.
- based on the subsearch result then the 7 day history is read and displayed (not fully shown in the example above)
All works fine except if there are no messages found by the subsearch. If yesterday no error messages of the given type were recorded, the subsearch returns a result which causes the following error message in the dashboard:
Error in ´where´command: The expression is malformed. An unexpected character is reached at ´)´.
The where command is the one which should take the result of the subsearch (3rd line of code).
The error message is just not nice for the end user, better would be to get just an empty chart if no data is found.
The question is: How to fix the result of the subsearch in a way, that also the main search runs and gets the proper empty result, and therefore the empty graph instead of the "not nice" error message?
Thank you for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Use the appendpipe command to add synthetic results when the subsearch finds nothing.
| where [
| loadjob $stoermeldungen_sid$
| where stoerCode IN ("S00")
| addinfo
| where importZeit_unixF >= relative_time(info_max_time,"-d@d") AND importZeit_unixF <= relative_time(info_max_time,"@d")
| stats count as dayCount by zbpIdentifier
| sort -dayCount
| head 10
| appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count]
| table zbpIdentifier ]
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Use the appendpipe command to add synthetic results when the subsearch finds nothing.
| where [
| loadjob $stoermeldungen_sid$
| where stoerCode IN ("S00")
| addinfo
| where importZeit_unixF >= relative_time(info_max_time,"-d@d") AND importZeit_unixF <= relative_time(info_max_time,"@d")
| stats count as dayCount by zbpIdentifier
| sort -dayCount
| head 10
| appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count]
| table zbpIdentifier ]
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway The perfect solution, exactly what I was looking for.
Thank you
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""