Solved: Don't execute rest of commands if there is no even...

isoutamo · ‎03-25-2021

Hi

Our client have the next (kind of query) runs as a schedule. It can found events or not, based on current situation

<base search>
| where isnotnull(joblist)
| dedup joblist
| map search="| dbxquery connection=con_A query=\"select a, b, c from xx where x='AAA'\" |appendcols [| dbxquery connection=con_A query=\"select (select max([rows]) from sys.partitions with (nolock) where object_id=object_id('dbo.$joblist$')) as rowCnt,sum(len(cast(xmlrecord as varchar(max)))) as sum from $joblist$ (nolock)\"]"
| <rest of query>

This works find where the base query found events and joblist is defined. BUT when base search cannot find any events, then the query/schedule will fail with error:

Error in 'map': Did not find value for required attribute 'joblist'.

I have tried to found answers, but couldn't found / get ideas how to skip the rest of query, starting from map, if there is no event. Any helps / ideas appreciated!

https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-where-if-a-specific-value-for-FI... This didn't work and not those where have proposed to use fillnull.

r. Ismo

richgalloway · ‎03-25-2021

Check out the new require command.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-25-2021

Check out the new require command.

---
If this reply helps you, Karma would be appreciated.

isoutamo · ‎03-25-2021

Thanks Rich

Exactly what I'm needing, but unfortunately our Client have still version 7.3.x 😞

r. Ismo

isoutamo · ‎04-12-2021

I accept Rich's answer as a solution, but still waiting if someone can point me a right direction with older splunk versions.

Don't execute rest of commands if there is no events from base search?

other

subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!