https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360084#M106472 <P>I'm running many scheduled searches. In SQL, there is the "on error" capability that let's you avoid taking further action if something broke before.</P> <P>Many of our searches do something like the following:</P> <PRE><CODE>|dbxquery connection=xxx query="select * from tablex" |massage the data |outputlookup tablex_fast_lookup </CODE></PRE> <P>If the SQL command dies due to a SQL issue, then we end up writing an empty lookup file. Once the lookup file is empty, dozens of other things break. I suppose I could convert it to a kv-store and merge data to the lookup with a last update timestamp. Then we could purge older data based on the timestamp.</P> <P>I figured that if I could abort the command, then the lookup file would have stale data, but it would not be empty.</P> Tue, 21 Mar 2017 17:27:36 GMT reed_kelly 2017-03-21T17:27:36Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360080#M106468 <P>I have a search that writes a lookup file at the end. I also have searches that end in a collect command. And there are other things that I would like to do that cause side-effects. What I am looking for is a way to abort a search before getting to the commands with side effects.</P> <P>For example,</P> <PRE><CODE>index=abc ... ... |abort condition=[count &lt; 50] ... |collect index=summary |outputlookup abc.csv |my_custom_command_to_post_to_twitter |etc... </CODE></PRE> <P>I could probably do it all by wrapping the latter half in a map command, but I am looking for an easier way.</P> Fri, 17 Mar 2017 17:20:40 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360080#M106468 reed_kelly 2017-03-17T17:20:40Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360081#M106469 <P>This explains how to do it with <CODE>map</CODE> but you can just as easily do it with a <CODE>subsearch</CODE>:</P> <P><A href="https://answers.splunk.com/answers/172541/is-it-possible-to-purposely-cause-a-scheduled-sear.html">https://answers.splunk.com/answers/172541/is-it-possible-to-purposely-cause-a-scheduled-sear.html</A></P> <P>Also, instead of having the search cause an error with bogus time values, you could just as easily replace the entire search with <CODE>|noop</CODE>.</P> Sun, 19 Mar 2017 03:58:32 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360081#M106469 woodcock 2017-03-19T03:58:32Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360082#M106470 <P>I'd rather not do it with a map, because some of my finishing commands already leverage map. For the "Accept" how would you do it with a subsearch?</P> Tue, 21 Mar 2017 16:03:31 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360082#M106470 reed_kelly 2017-03-21T16:03:31Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360083#M106471 <P>How are you running the search, scheduled or ad-hoc?</P> Tue, 21 Mar 2017 16:32:33 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360083#M106471 somesoni2 2017-03-21T16:32:33Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360084#M106472 <P>I'm running many scheduled searches. In SQL, there is the "on error" capability that let's you avoid taking further action if something broke before.</P> <P>Many of our searches do something like the following:</P> <PRE><CODE>|dbxquery connection=xxx query="select * from tablex" |massage the data |outputlookup tablex_fast_lookup </CODE></PRE> <P>If the SQL command dies due to a SQL issue, then we end up writing an empty lookup file. Once the lookup file is empty, dozens of other things break. I suppose I could convert it to a kv-store and merge data to the lookup with a last update timestamp. Then we could purge older data based on the timestamp.</P> <P>I figured that if I could abort the command, then the lookup file would have stale data, but it would not be empty.</P> Tue, 21 Mar 2017 17:27:36 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360084#M106472 reed_kelly 2017-03-21T17:27:36Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360085#M106473 <P>Or you can do it with a <CODE>subsearch</CODE>, like this:</P> <PRE><CODE>YOUR BASE SEARCH HERE [| noop | stats count AS blackout | addinfo | eval blackout=case((SomeLogic="For Blackout Here"), "YES", (OtherLogic="For Blackout Here"), "YES", true(),"NO") | eval earliestMaybe=if((blackout=="NO"), info_min_time, now()) | eval latestMaybe=if((blackout=="NO"), info_max_time, 0) | eval search="earliest=" . earliestMaybe . " latest=" . info_max_time] | YOUR POST SEARCH HERE </CODE></PRE> Tue, 21 Mar 2017 18:31:19 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360085#M106473 woodcock 2017-03-21T18:31:19Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360086#M106474 <P>For just this particular problem (empty lookup when no data), you could do something like this<BR /> <STRONG>Updated</STRONG></P> <PRE><CODE> |dbxquery connection=xxx query="select * from tablex" |massage the data | eval type="new" | append [ | inputlookup tablex_fast_lookup | eval type="old"] | eventstats count(eval(type="new")) as hasData | eval filter=if(hasData&gt;0,"new","old") | where type=filter | fields - type hasData filter |outputlookup tablex_fast_lookup </CODE></PRE> <P>Basically, if base search has no data, re-add the existing data from lookup again.</P> Tue, 21 Mar 2017 18:45:03 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360086#M106474 somesoni2 2017-03-21T18:45:03Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360087#M106475 <P>For the append, I think you mean "inputlookup". I know what you mean and this works well for that case.<BR /> -Thanks</P> Tue, 21 Mar 2017 19:43:16 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360087#M106475 reed_kelly 2017-03-21T19:43:16Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360088#M106476 <P>Taking it one step further, I made a global macro:</P> <PRE><CODE>[outputlookup_if_data(1)] args = lookup_file definition = eval upx_type="new" | append [ |inputlookup $lookup_file$ | eval u px_type="old"] | eventstats count(eval(upx_type="new")) as upx_hasData | eval u px_filter=if(upx_hasData&gt;0,"new","old") | where upx_type=upx_filter | fields - upx_type upx_hasData upx_filter | outputlookup $lookup_file$ </CODE></PRE> Tue, 21 Mar 2017 19:59:58 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360088#M106476 reed_kelly 2017-03-21T19:59:58Z https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360089#M106477 <P>You could make use of the override_if_empty attribute of outputlookup:</P> <PRE><CODE> | dbxquery connection=xxx query="select * from tablex" |massage the data |discard all events when an error condition occurs, maybe using: | eventstats count as dbresults | where dbresults &gt; 10000 | outputlookup tablex_fast_lookup override_if_empty=false </CODE></PRE> Wed, 30 Sep 2020 04:10:30 GMT https://community.splunk.com/t5/Splunk-Search/How-abort-a-search-based-on-a-condition/m-p/360089#M106477 mmol 2020-09-30T04:10:30Z