Splunk Enterprise

how to skip part of a query

spisiakmi
Contributor

Hi, can anybody help, please?

Here the code and small description.

| inputlookup tmp.csv
| where workplaceId=111
| sort - Zeitstempel
| tail [
  | inputlookup tmp.csv
  | where workplaceId=111
  | sort - Zeitstempel
  | stats count as search
  | eval search=search-1
  | fields search]]
| append [
  | inputlookup tmp.csv
  | where workplaceId=112
  | sort - Zeitstempel
  | tail [
    | inputlookup tmp.csv
    | where workplaceId=112
    | sort - Zeitstempel
    | stats count as search
    | eval search=search-1
    | fields search]]
| eval prod="testtest"
| eval _time=Zeitstempel
| fields _time, Zeit, Zeitstempel, workplaceId, workplace, App, state, prod
| collect index=workplace source="workplace_app" addtime=f testmode=f

Description: the code takes the [first:last-1] entries from the lookup table tmp.csv for every specific workplaceId. An error occures, if there is count(workplaceId)<2 entries.

Goal: how to skip, if | stats count as search <2? How to skip the whole append part of the code. Or is there any exception for error states of tail? Or any idea for smart workaround? I can send to index empty, or dummy entries. 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup tmp.csv
| sort 0 Zeitstempel
| streamstats count as _count by workplaceId global=f
| eventstats max(_count) as _subtotal by workplaceId
| where _count < _subtotal or _subtotal == 2
| eval prod="testtest"
| eval _time=Zeitstempel
| fields _time, Zeit, Zeitstempel, workplaceId, workplace, App, state, prod
| collect index=workplace source="workplace_app" addtime=f testmode=f

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup tmp.csv
| sort 0 Zeitstempel
| streamstats count as _count by workplaceId global=f
| eventstats max(_count) as _subtotal by workplaceId
| where _count < _subtotal or _subtotal == 2
| eval prod="testtest"
| eval _time=Zeitstempel
| fields _time, Zeit, Zeitstempel, workplaceId, workplace, App, state, prod
| collect index=workplace source="workplace_app" addtime=f testmode=f

spisiakmi
Contributor

and also 1 thing. I changed 

subtotal == 1

to

subtotal == 2

and it work absolutely exact as I wish.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Updated as requested

spisiakmi
Contributor

Hi ITWhisperer my favourite Splunk guru. Your code is amaizing. Only on exception: there is no tail, therefore I replaced 

| sort 0 - Zeitstempel

with

| sort 0 Zeitstempel

and it worked. If you adjust your answer, I can mark it as a solution. But, really really perfect job. You helped me a lot.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To answer the first question, there is no way to skip parts of a query.  SPL does have branching or conditional execution.  Commands are processed from beginning to end with the exception of the require command which aborts the query if there are no results.

I don't have alternatives, however.  There are ways to speed up the query (like combining the inputlookup and where commands), but no simple way to accomplish the goal.

BTW, the description says it takes [first:last-1] entries, but use of the tail command means it's taking [first+1:last].

---
If this reply helps you, Karma would be appreciated.
0 Karma

spisiakmi
Contributor

Hi richgalloway,

thank you for your reaction. Only for info, before tail there is: 

sort - Zeitstempel

which granted in fact always choice of [first:last-1], because the subsearch has

| eval search=search-1

. But never mind, thank you again for your post.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...