Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

where with empty subsearch result raises an error message

Ste
Path Finder
‎01-08-2025 09:17 AM

Dear experts

Based on the following search: 

  <search id="subsearch_results">
    <query>
      search index="iii" search_name="nnn" Umgebung="uuu" 
        isbName="isb"
        status IN ("ALREADY*", "NO_NOTIF*", "UNCONF*", "NOTIF*")
        zbpIdentifier NOT 453-8888
        stoerCodeGruppe NOT ("GUT*")
        | eval  importZeit_unixF = strptime(importZeit, "%Y-%m-%dT%H:%M:%S.%N%Z")
        | eval importZeit_humanF = strftime(importZeit_unixF, "%Y-%m-%d %H:%M:%S")
        | table importZeit_humanF importZeit_unixF zbpIdentifier status stoerCode stoerCodeGruppe
      </query>
    <earliest>$t_time.earliest$</earliest>
    <latest>$t_time.latest$@d</latest>
    <done>
      <condition>
        <set token="stoermeldungen_sid">$job.sid$</set>
      </condition>
    </done>
  </search>

I try to load some data with: 

<query>
   | loadjob $stoermeldungen_sid$
   | where stoerCode IN ("S00")
   | where [
      | loadjob $stoermeldungen_sid$
      | where stoerCode IN ("S00")
      | addinfo
      | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d")
      | stats count as dayCount by zbpIdentifier
      | sort -dayCount 
      | head 10
      | table zbpIdentifier ]
   | addinfo
   | where ....

Basic idea: 

  • the subsearch first derives the top 10 of the elements based on the number of yesterdays error messages.
  •  based on the subsearch result then the 7 day history is read and displayed (not fully shown in the example above)

All works fine except if there are no messages found by the subsearch. If yesterday no error messages of the given type were recorded, the subsearch returns a result which causes the following error message in the dashboard:

Error in ´where´command: The expression is malformed. An unexpected character is reached at ´)´.

 The where command is the one which should take the result of the subsearch (3rd line of code). 

The error message is just not nice for the end user, better would be to get just an empty chart if no data is found. 

The question is: How to fix the result of the subsearch in a way, that also the main search runs and gets the proper empty result, and therefore the empty graph instead of the "not nice" error message?

Thank you for your help.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2025 09:26 AM

Use the appendpipe command to add synthetic results when the subsearch finds nothing.

| where [
      | loadjob $stoermeldungen_sid$
      | where stoerCode IN ("S00")
      | addinfo
      | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d")
      | stats count as dayCount by zbpIdentifier
      | sort -dayCount 
      | head 10
      | appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count]
      | table zbpIdentifier ]

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2025 09:26 AM

Use the appendpipe command to add synthetic results when the subsearch finds nothing.

| where [
      | loadjob $stoermeldungen_sid$
      | where stoerCode IN ("S00")
      | addinfo
      | where importZeit_unixF &gt;= relative_time(info_max_time,"-d@d") AND importZeit_unixF &lt;= relative_time(info_max_time,"@d")
      | stats count as dayCount by zbpIdentifier
      | sort -dayCount 
      | head 10
      | appendpipe [|stats count as Count | eval zbpIdentifier="Nothing found" | where Count=0 | fields - Count]
      | table zbpIdentifier ]

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Ste
Path Finder
‎01-08-2025 09:25 PM

@richgalloway The perfect solution, exactly what I was looking for.
Thank you

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...