Hello,
I am doing a search and i know sometimes it will return no results.
index=gamification AND sourcetype = stash | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure
Why table isFailure never show any results?
Another exemple is my concrete query :
index=gamification | spath
| rename gamification.action.name as actionId,
gamification.user.id as playerId,
_indextime as date,
gamification.origin.name as origin
| where origin="sparxea"
| eval updated=[
search index=gamification AND sourcetype = stash
| eval isFailure=if(searchmatch("gamification"),1,0)
| eval updated=if(isFailure =="0",now(),_indextime)
| return $updated ]
| eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S")
| where date > updated
| table updated,date,playerId,actionId
| script python gamification -t playlyfe -c action -m p
| collect index="gamification"
Here i am testing if i have event results in a subsearch, if i have, i take the indextime of the first result, if not, the actual time.
With this search, i got an error : eval dest_key = expression
Here is why i am testing the result count : https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html. This link seemed to be a possible solution to my problem.
At begining, i was doing the subsearsh like this, But it gives me the same error : eval dest_key = expression
| eval updated=[ search index=gamification AND sourcetype = stash
| eval updated=if( isnotnull( extractfield ),_indextime,now())
| return $updated ]
I really need help please. Thanks
↧