https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24799#M4613 <P>My own comment of 'set math' set me on a path to the "set union" command. I now search for successes and failures and combine to a single table.</P> <P>I have not answered my original question, but I have a work around for my current problem.</P> Wed, 30 Nov 2011 18:51:27 GMT jordans 2011-11-30T18:51:27Z https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24796#M4610 <P>I want to have a table with results of a search of the SQL logs for backups. But the search I have only returns the successful backups. I want to display a line in the table if a backup failed, i.e. if a database name does NOT appear in the search results. </P> <P>Is this possible? I tried an 'append', but the last line is repeated if the search term is not found.</P> Tue, 29 Nov 2011 23:18:48 GMT https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24796#M4610 jordans 2011-11-29T23:18:48Z https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24797#M4611 <P>Do you have (or can generate) a list of all Database Names? <BR /> You could index that list.<BR /> Extract the database name from the backup logs. Use the same fieldname (e.g., db_name) in both sourcetypes (the list of all databases and the backup log)</P> <P>The following should give you a list of database names from the alldatabases sourcetype that aren't matched in the backuplog sourcetype.</P> <PRE><CODE>sourcetype="alldatabases" | join type=outer db_name [search sourcetype=backuplog] | search sourcetype=alldatabases | table db_name </CODE></PRE> Wed, 30 Nov 2011 16:03:29 GMT https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24797#M4611 eelisio2 2011-11-30T16:03:29Z https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24798#M4612 <P>I don't think the set math works. I get a list of all databases from the database list. </P> <P>To test, I added a bogus database name to a txt file of valid db names, indexed it, and performed your search.</P> Wed, 30 Nov 2011 18:32:57 GMT https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24798#M4612 jordans 2011-11-30T18:32:57Z https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24799#M4613 <P>My own comment of 'set math' set me on a path to the "set union" command. I now search for successes and failures and combine to a single table.</P> <P>I have not answered my original question, but I have a work around for my current problem.</P> Wed, 30 Nov 2011 18:51:27 GMT https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24799#M4613 jordans 2011-11-30T18:51:27Z https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24800#M4614 <P>I'm glad that you found a different solution. The search from my answer will work as well. There needs to be a common field name for the join command to work. </P> <P>Note that if you run my search without " | search sourcetype=alldatabases | table db_name", the result set has a mix of the 2 sourcetypes. The rows with the sourcetype="alldatabases" did not find a match in the other sourcetype. So, the extra search command at the end should filter the results accordingly.</P> Wed, 30 Nov 2011 19:27:21 GMT https://community.splunk.com/t5/Splunk-Search/Return-something-when-search-doesn-t-return-anything/m-p/24800#M4614 eelisio2 2011-11-30T19:27:21Z