Splunk Search

where with empty subsearch result raises an error message

Ste
Path Finder

Dear experts

Based on the following search: 

  <search id="subsearch_results">
    <query>
      search index="iii" search_name="nnn" Umgebung="uuu" 
        isbName="isb"
        status IN ("ALREADY*", "NO_NOTIF*", "UNCONF*", "NOTIF*")
        zbpIdentifier NOT 453-8888
        stoerCodeGruppe NOT ("GUT*")
        | eval  importZeit_unixF = strptime(importZeit, "%Y-%m-%dT%H:%M:%S.%N%Z")
        | eval importZeit_humanF = strftime(importZeit_unixF, "%Y-%m-%d %H:%M:%S")
        | table importZeit_humanF importZeit_unixF zbpIdentifier status stoerCode stoerCodeGruppe
      </query>
    <earliest>$t_time.earliest$</earliest>
    <latest>$t_time.latest$@d</latest>
    <done>
      <condition>
        <set token="stoermeldungen_sid">$job.sid$</set>
      </condition>
    </done>
  </search>

I try to load some data with: 

<query>
   | loadjob $stoermeldungen_sid$
   | where stoerCode IN ("S00")
   | where [
      | loadjob $stoermeldungen_sid$
      | where stoerCode IN ("S00")
      | addinfo
      | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d")
      | stats count as dayCount by zbpIdentifier
      | sort -dayCount 
      | head 10
      | table zbpIdentifier ]
   | addinfo
   | where ....

Basic idea: 

  • the subsearch first derives the top 10 of the elements based on the number of yesterdays error messages.
  •  based on the subsearch result then the 7 day history is read and displayed (not fully shown in the example above)

All works fine except if there are no messages found by the subsearch. If yesterday no error messages of the given type were recorded, the subsearch returns a result which causes the following error message in the dashboard:

Error in ´where´command: The expression is malformed. An unexpected character is reached at ´)´.

 The where command is the one which should take the result of the subsearch (3rd line of code). 

The error message is just not nice for the end user, better would be to get just an empty chart if no data is found. 

The question is: How to fix the result of the subsearch in a way, that also the main search runs and gets the proper empty result, and therefore the empty graph instead of the "not nice" error message?

Thank you for your help.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use the appendpipe command to add synthetic results when the subsearch finds nothing.

| where [
      | loadjob $stoermeldungen_sid$
      | where stoerCode IN ("S00")
      | addinfo
      | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d")
      | stats count as dayCount by zbpIdentifier
      | sort -dayCount 
      | head 10
      | appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count]
      | table zbpIdentifier ]

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Use the appendpipe command to add synthetic results when the subsearch finds nothing.

| where [
      | loadjob $stoermeldungen_sid$
      | where stoerCode IN ("S00")
      | addinfo
      | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d")
      | stats count as dayCount by zbpIdentifier
      | sort -dayCount 
      | head 10
      | appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count]
      | table zbpIdentifier ]

 

---
If this reply helps you, Karma would be appreciated.

Ste
Path Finder

@richgalloway The perfect solution, exactly what I was looking for.
Thank you

Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...