Re: Executing main search only if subquery satisfi...

bsaujla131984 · ‎04-24-2020

I have two searches which I am running by joining with appendcols and passed the result of subquery to main query.

index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" metric_name="numberofmessages" CORS_Value>"1" | eval numberofmessages=CORS_Value/5 | rename metric_dimensions as queue_names | table queue_names numberofmessages | appendcols [ search index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" metric_name="ageofmessages" Sum>0 | rename Sum AS TimeinQueue | table TimeinQueue] | dedup queue_names

Problem with this is , main query provides the result of itself even if subquery did not produce any result. Basically I want main query to be run only if subquery satisfies the condition.

Can someone assist with this please?

to4kawa · ‎04-24-2020

index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" 
AND ((metric_name="numberofmessages" CORS_Value>"1") OR (metric_name="ageofmessages" Sum>0 ))
| eval numberofmessages=CORS_Value/5 
| rename Sum AS TimeinQueue 
| rename metric_dimensions as queue_names 
| table queue_names numberofmessages TimeinQueue metric_name
| stats values(*) as * dc(metric_name) as flag by queue_names
| where flag > 1 AND match(metric_name,"ageofmessages")

I think this query displays same result.

If you create dashboard, maybe you can do what you say.

bsaujla131984 · ‎04-24-2020

I tried this query , but is not displaying any result even infact no event.

Do you know how can we make main query dependent on subquery?

to4kawa · ‎04-24-2020

make dashboard and use token $job.resultCount$

reference: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

Executing main search only if subquery satisfies the condition

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life