Hi, can anybody help, please?
Here the code and small description.
| inputlookup tmp.csv
| where workplaceId=111
| sort - Zeitstempel
| tail [
| inputlookup tmp.csv
| where workplaceId=111
| sort - Zeitstempel
| stats count as search
| eval search=search-1
| fields search]]
| append [
| inputlookup tmp.csv
| where workplaceId=112
| sort - Zeitstempel
| tail [
| inputlookup tmp.csv
| where workplaceId=112
| sort - Zeitstempel
| stats count as search
| eval search=search-1
| fields search]]
| eval prod="testtest"
| eval _time=Zeitstempel
| fields _time, Zeit, Zeitstempel, workplaceId, workplace, App, state, prod
| collect index=workplace source="workplace_app" addtime=f testmode=f
Description: the code takes the [first:last-1] entries from the lookup table tmp.csv for every specific workplaceId. An error occures, if there is count(workplaceId)<2 entries.
Goal: how to skip, if | stats count as search <2? How to skip the whole append part of the code. Or is there any exception for error states of tail? Or any idea for smart workaround? I can send to index empty, or dummy entries.
| inputlookup tmp.csv
| sort 0 Zeitstempel
| streamstats count as _count by workplaceId global=f
| eventstats max(_count) as _subtotal by workplaceId
| where _count < _subtotal or _subtotal == 2
| eval prod="testtest"
| eval _time=Zeitstempel
| fields _time, Zeit, Zeitstempel, workplaceId, workplace, App, state, prod
| collect index=workplace source="workplace_app" addtime=f testmode=f
| inputlookup tmp.csv
| sort 0 Zeitstempel
| streamstats count as _count by workplaceId global=f
| eventstats max(_count) as _subtotal by workplaceId
| where _count < _subtotal or _subtotal == 2
| eval prod="testtest"
| eval _time=Zeitstempel
| fields _time, Zeit, Zeitstempel, workplaceId, workplace, App, state, prod
| collect index=workplace source="workplace_app" addtime=f testmode=f
and also 1 thing. I changed
subtotal == 1
to
subtotal == 2
and it work absolutely exact as I wish.
Updated as requested
Hi ITWhisperer my favourite Splunk guru. Your code is amaizing. Only on exception: there is no tail, therefore I replaced
| sort 0 - Zeitstempel
with
| sort 0 Zeitstempel
and it worked. If you adjust your answer, I can mark it as a solution. But, really really perfect job. You helped me a lot.
To answer the first question, there is no way to skip parts of a query. SPL does have branching or conditional execution. Commands are processed from beginning to end with the exception of the require command which aborts the query if there are no results.
I don't have alternatives, however. There are ways to speed up the query (like combining the inputlookup and where commands), but no simple way to accomplish the goal.
BTW, the description says it takes [first:last-1] entries, but use of the tail command means it's taking [first+1:last].
Hi richgalloway,
thank you for your reaction. Only for info, before tail there is:
sort - Zeitstempel
which granted in fact always choice of [first:last-1], because the subsearch has
| eval search=search-1
. But never mind, thank you again for your post.