topic Help with putting a conditional in my search in Splunk Search

Help with putting a conditional in my search

a212830 — Wed, 10 Apr 2019 11:19:48 GMT

Hi,

Someone was kind enough to help me with this yesterday: link text

And it worked fine, until I realized that there will be times when the base search does not return any events. I'd like to add some logic to only run the dbxquery if the base search returns one event. Is there a way to do that?

Here's the query:

index=main sourcetype=ampData_source 
 | fields BATCHSEQUENCE 
 | dedup BATCHSEQUENCE 
 | sort 0 - BATCHSEQUENCE 
 | head 1
 | table BATCHSEQUENCE | map search="| dbxquery query=\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\" connection=\"ERPM\"" maxsearches=1

Re: Help with putting a conditional in my search

dmarling — Wed, 10 Apr 2019 15:05:03 GMT

If you are truly not getting any base events to pass the token to the mapped dbxquery, then it should just fail the search with an error "Error in 'map': Did not find value for required attribute 'BATCHSEQUENCE'." If your goal is not have that error at all then this can accomplish that:

[| makeresults count=1 
    | eval search=if( 
        [ search index=main sourcetype=ampData_source 
        | fields BATCHSEQUENCE 
        | dedup BATCHSEQUENCE 
        | sort 0 - BATCHSEQUENCE 
        | head 1 
        | stats count 
        | return $count]>0, "index=main sourcetype=ampData_source 
| fields BATCHSEQUENCE 
| dedup BATCHSEQUENCE 
| sort 0 - BATCHSEQUENCE 
| head 1
| table BATCHSEQUENCE 
| map search=\"| dbxquery query=\\\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\\\" connection=\\\"ERPM\\\"\" maxsearches=1", null()) 
    | table search]

You will now just get no results instead of an error.

Re: Help with putting a conditional in my search

manunairadavakk — Wed, 30 Sep 2020 02:08:23 GMT

@dmarling

I was trying the above solution, but getting the error Unknown search command '0'.
My query is:

[| makeresults count=1
|eval search=if(
[search index="ass_main" host=pr CASE(4333)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| sort 0 - EMPID
| head 1
| stats count
| return $count]>0,"index="ass_main" host=pr CASE(433)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| stats values(EMPID) as EMPID
| eval EMPID= "'".mvjoin(INCID, "','")."'"
| map search="| dbxquery query=\"select \\"Emp Number\\",\\"Description\\"
FROM
BIA_BA_EUL.\\"View Emp Helpdesk\\" WHERE \\"Emp Number\\" IN ($EMPID$) \"
connection=\"NTZ-SVC-PR1\"",null())
| table search]

Re: Help with putting a conditional in my search

dmarling — Thu, 05 Sep 2019 17:26:15 GMT

Hi @manunairadavakkat What version of Splunk are you running? Can you repost that query in the code sample box so it doesn't escape some of the special characters? You can do that by hitting Ctrl + K on your key board or clicking the button that has 101010 in the comment GUI.