Splunk Search

Executing main search only if subquery satisfies the condition

bsaujla131984
Path Finder

I have two searches which I am running by joining with appendcols and passed the result of subquery to main query.

index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" metric_name="numberofmessages" CORS_Value>"1" | eval numberofmessages=CORS_Value/5 | rename metric_dimensions as queue_names | table queue_names numberofmessages | appendcols [ search index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" metric_name="ageofmessages" Sum>0 | rename Sum AS TimeinQueue | table TimeinQueue] | dedup queue_names

Problem with this is , main query provides the result of itself even if subquery did not produce any result. Basically I want main query to be run only if subquery satisfies the condition.

Can someone assist with this please?

0 Karma

to4kawa
Ultra Champion
index="index" sourcetype="aws:cloudwatch" source="source" account_id="account" 
AND ((metric_name="numberofmessages" CORS_Value>"1") OR (metric_name="ageofmessages" Sum>0 ))
| eval numberofmessages=CORS_Value/5 
| rename Sum AS TimeinQueue 
| rename metric_dimensions as queue_names 
| table queue_names numberofmessages TimeinQueue metric_name
| stats values(*) as * dc(metric_name) as flag by queue_names
| where flag > 1 AND match(metric_name,"ageofmessages")

I think this query displays same result.

If you create dashboard, maybe you can do what you say.

0 Karma

bsaujla131984
Path Finder

I tried this query , but is not displaying any result even infact no event.

Do you know how can we make main query dependent on subquery?

0 Karma

to4kawa
Ultra Champion

make dashboard and use token $job.resultCount$

reference: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!