Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to have a search run outputcsv even if the search returns no data and fill with NULL values?

pete_charlton
Explorer
‎09-16-2014 11:22 AM

I have a report that dumps to an outputcsv, during the weekends this report will not return any values due to the lack of user traffic to the environment. I want to have my search create a blank CSV with only the column headers and a NULL value.

My search example is below.

index=index1 source=log1 "string of text" "string of text" | append [search index=index2 source=log2 Field=value] | table _raw | addinfo | eval ResultsTime="ResultsTime="+strftime(info_search_time,"%FT%T%z") | eval ResultsRange_Begining="ResultsRange_Begining="+strftime(info_min_time,"%FT%T%z") | eval ResultsRange_End="ResultsRange="+strftime(info_max_time,"%FT%T%z") | eval ResultsID="ResultsID="+info_sid | fields - info_min_time, info_max_time, info_search_time, info_sid | outputcsv file.csv

Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎09-16-2014 01:18 PM

Two suggestions that do not do exactly what you want but they might help:

  • There is a create_empty option to outputcsv that will just create an empty file (without the header & NULL values):

    index=index1 source=log1 "string of text" "string of text" | append [search index=index2 source=log2 Field=value] | table _raw | addinfo | eval ResultsTime="ResultsTime="+strftime(info_search_time,"%FT%T%z") | eval ResultsRange_Begining="ResultsRange_Begining="+strftime(info_min_time,"%FT%T%z") | eval ResultsRange_End="ResultsRange="+strftime(info_max_time,"%FT%T%z") | eval ResultsID="ResultsID="+info_sid | fields - info_min_time, info_max_time, info_search_time, info_sid | outputcsv create_empty=true file.csv

  • If you can afford to have a line with literal NULL in your csv even if your search returns other Results:

    index=index1 source=log1 "string of text" "string of text" | append [search index=index2 source=log2 Field=value] | table _raw | addinfo | eval ResultsTime="ResultsTime="+strftime(info_search_time,"%FT%T%z") | eval ResultsRange_Begining="ResultsRange_Begining="+strftime(info_min_time,"%FT%T%z") | eval ResultsRange_End="ResultsRange="+strftime(info_max_time,"%FT%T%z") | eval ResultsID="ResultsID="+info_sid |append [ stats count | foreach _raw fielda fieldb ResultsTime ResultsRange_Begining ResultsRange_End ResultsID [eval <>="NULL"]]| fields - info_min_time, info_max_time, info_search_time, info_sid, count | outputcsv create_empty=true file.csv

Just add whatever fields you need to the foreach command

Hope this helps

Chris

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎09-16-2014 01:18 PM

Two suggestions that do not do exactly what you want but they might help:

  • There is a create_empty option to outputcsv that will just create an empty file (without the header & NULL values):

    index=index1 source=log1 "string of text" "string of text" | append [search index=index2 source=log2 Field=value] | table _raw | addinfo | eval ResultsTime="ResultsTime="+strftime(info_search_time,"%FT%T%z") | eval ResultsRange_Begining="ResultsRange_Begining="+strftime(info_min_time,"%FT%T%z") | eval ResultsRange_End="ResultsRange="+strftime(info_max_time,"%FT%T%z") | eval ResultsID="ResultsID="+info_sid | fields - info_min_time, info_max_time, info_search_time, info_sid | outputcsv create_empty=true file.csv

  • If you can afford to have a line with literal NULL in your csv even if your search returns other Results:

    index=index1 source=log1 "string of text" "string of text" | append [search index=index2 source=log2 Field=value] | table _raw | addinfo | eval ResultsTime="ResultsTime="+strftime(info_search_time,"%FT%T%z") | eval ResultsRange_Begining="ResultsRange_Begining="+strftime(info_min_time,"%FT%T%z") | eval ResultsRange_End="ResultsRange="+strftime(info_max_time,"%FT%T%z") | eval ResultsID="ResultsID="+info_sid |append [ stats count | foreach _raw fielda fieldb ResultsTime ResultsRange_Begining ResultsRange_End ResultsID [eval <>="NULL"]]| fields - info_min_time, info_max_time, info_search_time, info_sid, count | outputcsv create_empty=true file.csv

Just add whatever fields you need to the foreach command

Hope this helps

Chris

Reply
Solved! Jump to solution

Aminion
Engager
‎05-04-2023 04:12 AM

HI @chris,

I added this line to my report query   | outputcsv create_empty=true file.csv. my reports is sending empty csv, even if it has some results . Am i missing anything here?Any suggestions

0 Karma
Reply
Solved! Jump to solution

wiederkehrc
Explorer
‎05-04-2023 05:17 AM

Hi Aminion, I am not sure if I understand what you are trying to accomplish.

If you have search that you want to run at specific intervalls and then send the results to you via Email you can add the "Attach CSV" option to the Alert when you save it.

 

wiederkehrc_0-1683202564002.png

Is that what you want? O did I not understand your question properly?

 

Regards

Chris

 

0 Karma
Reply
Solved! Jump to solution

Aminion
Engager
‎05-04-2023 05:29 AM

sorry @wiederkehrc  @chris what i meant was, im not getting csv attachment in the email if the search doesn't have any results, whereas if the search has results I get csv attachment.My requirement is i need csv attachement in my emails regardless of the results

0 Karma
Reply
Solved! Jump to solution

wiederkehrc
Explorer
‎05-10-2023 03:30 AM

If you set the condition to send emails even if the search does not yield results you should get a csv that contains the text: "No matching events found."   You can do that by selecting a "is less than" condition with a big number in the Trigger conditions:

splunk_always_send_email.PNG

Make sure to select the "Allow Empty Attachment" option when setting up the Alert.

splunk_empty_attachment.PNG

Another option would be to add a dummy result to your search to make sure that you always get at least one result using a command like append:

 

index=_internal action!=search xuxuxuxux | head 1 | eval myfield="real value" | table _time myfield| append [ makeresults annotate=true | eval myfield="dummy" | table _time myfield ]

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...