Splunk Search

How to edit my eval statements to assign a value for a field when join returns no rows?

email2vamsi
Explorer
index="Index1" sourcetype="response" | eval running_ok = if(response_status="Running","0","1") |head 1
|join running_ok
[search index="Index1" sourcetype="monitor" | eval running_ok = if(monitor_status="Running","0","1")|head 1] 
|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok==" " OR running_ok==1,1,0) |table final | outputlookup output.csv 

I am using join on two sourcetypes for the field "running_ok".

The following table is derived based on how the inner join functions.
Main search "running_ok" result), (Sub search "running_ok" result)= 0 or 1 or Blank (Join Search returned no values.)

0,0=0 (Running)
1,0= blank (Not Running)
0,1= blank (Not Running)
1,1=1 (Not Running)

From these below, I am able to assign required value for "final" when running_ok=0 or 1, but I could not assign value for "final" when "Join search returns no values."
Please let me know the way when join search returns no rows.

|eval final = if(running_ok==0,0,1)
|eval final = if(running_ok=="Join search returns no values." OR running_ok==1,1,0) 

The following two did not help either.

| eval final=if(match(running_ok, "No results") OR running_ok=1, 1, 0) |
| eval final = if(isnull(running_ok) OR running_ok==1,1,0)
0 Karma

cmerriman
Super Champion

try this:

index="Index1" sourcetype="response" OR sourcetype="monitor"| eval running_ok = if(response_status="Running" OR monitor_status="Running","0","1") |head 1
 |fillnull running_ok value=1
 |eval final = if(running_ok==1,1,0) |table final | outputlookup output.csv

email2vamsi
Explorer

Thank you. I am going to try it and update.
What does the following mean?

|fillnull running_ok value=1
0 Karma

cmerriman
Super Champion

you had two final eval statements, which I didn't understand the need for, and in one eval statement, you had running_ok=" " and the fillnull statement would just fill all null values with the value 1, so you wouldn't need that in the eval.

0 Karma

email2vamsi
Explorer

In the eval statement running_ok=" " i am looking for query which did not return any rows(No results found. ).
I am sure it is not the right way to check it. I am looking for the right way to check "No results found. "
Because the join does not return any rows when no match happens. I am trying to catch those kind of entries,which will have "No results found".

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...