https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51874#M12589 <P>Not sure if that syntax is quite correct, but the idea works and I cant find anything better - thanks cramasta!</P> Tue, 04 Jun 2013 06:53:51 GMT thewer 2013-06-04T06:53:51Z https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51872#M12587 <P>I have a search that is basically (there are actually 2 sub searches, but this makes it easier to understand):</P> <PRE><CODE>index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | return 50 $custsession ] </CODE></PRE> <P>This normally returns the weblogs that contain any of the customer sessions where the customers complained (ie: find what the complaining customer actually did on the site). However when there are no results in "custcomplaintlogs" over the last day it returns EVERYTHING from "weblogs". If there is something in "custcomplaintlogs" it will give the weblogs for the customers session only.</P> <P>How can I stop it returning everything if the subsearch has no results. I want to either exit, or return something that will match nothing in the weblogs.</P> Fri, 31 May 2013 08:08:53 GMT https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51872#M12587 thewer 2013-05-31T08:08:53Z https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51873#M12588 <P>Not sure if there is a better way, but what if you did something like this</P> <P><CODE>index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]</CODE></P> <P>This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything</P> Fri, 31 May 2013 20:06:45 GMT https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51873#M12588 cramasta 2013-05-31T20:06:45Z https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51874#M12589 <P>Not sure if that syntax is quite correct, but the idea works and I cant find anything better - thanks cramasta!</P> Tue, 04 Jun 2013 06:53:51 GMT https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51874#M12589 thewer 2013-06-04T06:53:51Z https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51875#M12590 <P>Yeah forgot an additional end bracket at the end of the fields command. I updated the post.</P> Tue, 04 Jun 2013 13:51:06 GMT https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51875#M12590 cramasta 2013-06-04T13:51:06Z https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51876#M12591 <P>thanks! it worked by eval new row with 0 value and put it at the and of the resulting table, requesting "head 1". Then if the search is empty then only that last 0 come that I can take within the rest of the code.</P> <P>i.e </P> <PRE><CODE>index="myIndex" | where pString = "xyz" | append [ | stats count | fields - count | eval pString = 0 ] | eval recs=if(pString=0,0,1) | sort recs DESC | head 1 | table pString </CODE></PRE> Wed, 14 Dec 2016 19:57:37 GMT https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51876#M12591 unchura 2016-12-14T19:57:37Z https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51877#M12592 <P>Would probably be better if you did this instead:</P> <P>index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession=if(isnull(custsession,"null",custsession) | fields custsession]| return 50 $custsession ]</P> <P>or</P> <P>index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | fillnull custsession | fields custsession]| return 50 $custsession ]</P> Fri, 14 Apr 2017 14:29:53 GMT https://community.splunk.com/t5/Splunk-Search/return-command-exit-or-return-known-value-if-no-results-found/m-p/51877#M12592 jkat54 2017-04-14T14:29:53Z