I have two searches which I am running by joining with appendcols and passed the result of subquery to main query.
index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" metric_name="numberofmessages" CORS_Value>"1" | eval numberofmessages=CORS_Value/5 | rename metric_dimensions as queue_names | table queue_names numberofmessages | appendcols [ search index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" metric_name="ageofmessages" Sum>0 | rename Sum AS TimeinQueue | table TimeinQueue] | dedup queue_names
Problem with this is , main query provides the result of itself even if subquery did not produce any result. Basically I want main query to be run only if subquery satisfies the condition.
Can someone assist with this please?
index="index" sourcetype="aws:cloudwatch" source="source" account_id="account"
AND ((metric_name="numberofmessages" CORS_Value>"1") OR (metric_name="ageofmessages" Sum>0 ))
| eval numberofmessages=CORS_Value/5
| rename Sum AS TimeinQueue
| rename metric_dimensions as queue_names
| table queue_names numberofmessages TimeinQueue metric_name
| stats values(*) as * dc(metric_name) as flag by queue_names
| where flag > 1 AND match(metric_name,"ageofmessages")
I think this query displays same result.
If you create dashboard, maybe you can do what you say.
I tried this query , but is not displaying any result even infact no event.
Do you know how can we make main query dependent on subquery?
make dashboard and use token $job.resultCount$
reference: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens