topic Re: How to suppress search results when a certain condition is met? in Splunk Search

How to suppress search results when a certain condition is met?

jmoeller — Tue, 14 Aug 2018 13:28:30 GMT

I need help with a very basic search concept. I need a way to suppress search results if a certain condition is met. I have a CSV file (file.csv)

Maint
YES

I need the exact search that would follow this basic logic...

   index=* (whatever the search)  look at file.csv  If Maint="YES" ensure  search returns nothing, otherwise return as normal

Please provide actual working search (I have tried many ways and I am sure I am missing something small, I am not familiar enough with the searches to fix minor issues)

Re: How to suppress search results when a certain condition is met?

renjith_nair — Tue, 14 Aug 2018 17:21:16 GMT

@jmoeller,

Here is what I tried and working

Created a csv with just column name as Maint and value as Yes
Added the file as a lookup table from Lookups » Lookup table files
Created a lookup definition from Lookups » Lookup definitions » maint

Executed below search and gives me the result

index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint

And below no result

index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
| where Maint!="Yes"

Try if this works for your environment

Re: How to suppress search results when a certain condition is met?

jmoeller — Tue, 14 Aug 2018 18:08:55 GMT

Thank you! It is working and I will mark it as answered because it does exactly what I asked. However, my oversimplification has created a new "problem". My csv actually has additional columns. When I run your suggestion, I get the results of the original query but I also get the additional columns from my csv (to the right of the results). You would not have seen that because you followed my question, this is my fault. If you add an additional column to your cvs, you should see the same. Are you aware of an easy way to remove the extra columns?

Thanks again,
Jonathan

Re: How to suppress search results when a certain condition is met?

jmoeller — Tue, 14 Aug 2018 18:19:42 GMT

Actually, I spoke too soon. It works with a query involving statistics but if you remove "| stats count by sourcetype", you receive and error "Error in appendcols' command.

Re: How to suppress search results when a certain condition is met?

renjith_nair — Wed, 15 Aug 2018 03:10:32 GMT

Hi Jonathan(@jmoeller),

No worries,you could use append also. I now have three columns in the csv and just selected Maint by using fields. Try this and let me know if it works for you as well.

index=_internal|append [| inputlookup Maint|fields Maint]|reverse|filldown Maint|reverse|where Maint!="Yes"

Re: How to suppress search results when a certain condition is met?

jmoeller — Wed, 15 Aug 2018 14:48:13 GMT

Thanks again. It is working but there is still a minor issue. When I use the search above, it "appends" a blank event at the bottom of the list. Since we are using this for alerting, a simplified search would be...

EventCode=1000

The alert would trigger if there is a record returned, thus the issue.

You should see it if you just modify your example to and index that doesn't exist. You should see a singe event returned rather than zero.

Thanks, again for all of your help. If we can get rid of the extra event, I am golden.

Re: How to suppress search results when a certain condition is met?

renjith_nair — Thu, 16 Aug 2018 03:57:28 GMT

Hi Jonathan(@jmoeller),

Thanks for highlighting it. You could just filter it out by adding |where _raw!="" at the end of the search. Its purely depends on your search results. If you have just events returned , then above should work and if you have some fields displayed , for e.g. table field1,field2 then you could add the condition based on the field also. Let me know how it goes.

Thanks!