https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/588618#M205008 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243098">@Gian89</a>,</P><P>the most important thingi is that you solved your need.</P><P>We created an italian Splunk User Group, we didn't still have any event but we're organizing.</P><P>See next time.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors.</P> Fri, 11 Mar 2022 09:54:54 GMT gcusello 2022-03-11T09:54:54Z https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/587842#M204725 <P>Hello Community,</P> <P>I have quite a strange issue to face...<BR />For a project I'm working on, I would need to create a new case if the search returns no events.<BR />I've tried to create a dummy example to make myself clear:</P> <PRE>| makeresults <BR />| eval letter1="A", letter2="B", letter3="C" <BR />| append <BR />&nbsp; &nbsp; [| makeresults <BR />&nbsp; &nbsp; | eval letter1="D", letter2="E", letter3="F"] <BR />| search letter1="K"<BR />| appendpipe <BR />&nbsp; &nbsp; [| <STRONG>??ifnotresults??</STRONG> <BR />&nbsp; &nbsp; | append <BR />&nbsp; &nbsp; &nbsp; &nbsp; [| makeresults <BR />&nbsp; &nbsp; &nbsp; &nbsp; | eval letter1="X", letter2="Y", letter3="Z"] <BR />&nbsp; &nbsp; | where false() ] <BR />| table letter1 letter2 letter3</PRE> <P>&nbsp;</P> <P>In particular, I have no idea how to evaluate the&nbsp;<STRONG>??ifnotresults??</STRONG>&nbsp; part.</P> <P>Do you think it is possible to achieve this?</P> <P>Thanks in advance for your kind support</P> Tue, 08 Mar 2022 04:50:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/587842#M204725 Gian89 2022-03-08T04:50:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/587849#M204729 <P>i&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243098">@Gian89</a>,</P><P>let me understand:</P><UL><LI>you have many events from e.g. a list of hosts and you want to have a message when there isn't any result e.g. from one of those hosts, is it correct?</LI></UL><P>If this is your situation, you have three choices:</P><UL><LI>if you have only one check to perform (e.g. only one host),</LI><LI>if you have few checks to perform (e.g. few hosts to check),</LI><LI>if you have many ckecks to perform (e.g. many hosts to check).</LI></UL><P>in the first case you have to run a simple search and generate an alert if there isn't any result</P><LI-CODE lang="markup">| makeresults index=_internal host=your_host</LI-CODE><P>in the second case, you have to run a simple search like this:</P><LI-CODE lang="markup">| metasearch index=_internal hostIN (host1, host2,host3) | stats count BY host | append [ | makeresults | eval host=host1, count=0 | fields host count ] | append [ | makeresults | eval host=host2, count=0 | fields host count ] | append [ | makeresults | eval host=host3, count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>In the third case, you have to creat e a lookup (called e.g. perimeter.csv) containing the list of objects to search (e.g. host) and run something like this:</P><LI-CODE lang="markup">| metasearch index=_internal hostIN (host1, host2,host3) | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Mar 2022 13:05:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/587849#M204729 gcusello 2022-03-07T13:05:01Z https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/587853#M204732 <P>Test for results using <FONT face="courier new,courier">stats count</FONT> and <FONT face="courier new,courier">where count=0</FONT> within the <FONT face="courier new,courier">appendpipe</FONT>.</P><LI-CODE lang="markup">| makeresults | eval letter1="A", letter2="B", letter3="C" | append [| makeresults | eval letter1="D", letter2="E", letter3="F"] | search letter1="K" | appendpipe [ stats count | eval letter1="X", letter2="Y", letter3="Z" | where count=0 | fields - count ] | table letter1 letter2 letter3</LI-CODE><P>&nbsp;</P> Mon, 07 Mar 2022 13:19:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/587853#M204732 richgalloway 2022-03-07T13:19:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/588604#M205007 <P>Ciao Giuseppe,</P><P>thanks for your answer but it was not what I was looking for. The answer from&nbsp;<SPAN>richgalloway is what I was looking for <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</SPAN></P><P>Thanks anyway for your feedback!&nbsp;</P> Fri, 11 Mar 2022 09:36:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/588604#M205007 Gian89 2022-03-11T09:36:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/588618#M205008 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243098">@Gian89</a>,</P><P>the most important thingi is that you solved your need.</P><P>We created an italian Splunk User Group, we didn't still have any event but we're organizing.</P><P>See next time.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors.</P> Fri, 11 Mar 2022 09:54:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-event-if-no-results-are-returned/m-p/588618#M205008 gcusello 2022-03-11T09:54:54Z