Splunk Search

Help with putting a conditional in my search

Champion

Hi,

Someone was kind enough to help me with this yesterday: link text

And it worked fine, until I realized that there will be times when the base search does not return any events. I'd like to add some logic to only run the dbxquery if the base search returns one event. Is there a way to do that?

Here's the query:

index=main sourcetype=ampData_source 
 | fields BATCHSEQUENCE 
 | dedup BATCHSEQUENCE 
 | sort 0 - BATCHSEQUENCE 
 | head 1
 | table BATCHSEQUENCE | map search="| dbxquery query=\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\" connection=\"ERPM\"" maxsearches=1
0 Karma

Builder

If you are truly not getting any base events to pass the token to the mapped dbxquery, then it should just fail the search with an error "Error in 'map': Did not find value for required attribute 'BATCHSEQUENCE'." If your goal is not have that error at all then this can accomplish that:

[| makeresults count=1 
    | eval search=if( 
        [ search index=main sourcetype=ampData_source 
        | fields BATCHSEQUENCE 
        | dedup BATCHSEQUENCE 
        | sort 0 - BATCHSEQUENCE 
        | head 1 
        | stats count 
        | return $count]>0, "index=main sourcetype=ampData_source 
| fields BATCHSEQUENCE 
| dedup BATCHSEQUENCE 
| sort 0 - BATCHSEQUENCE 
| head 1
| table BATCHSEQUENCE 
| map search=\"| dbxquery query=\\\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\\\" connection=\\\"ERPM\\\"\" maxsearches=1", null()) 
    | table search]

You will now just get no results instead of an error.

If this comment/answer was helpful, please up vote it. Thank you.

Path Finder

@dmarling

I was trying the above solution, but getting the error Unknown search command '0'.
My query is:

[| makeresults count=1
|eval search=if(
[search index="ass_main" host=pr CASE(4333)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| sort 0 - EMPID
| head 1
| stats count
| return $count]>0,"index="ass_main" host=pr CASE(433)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| stats values(EMPID) as EMPID
| eval EMPID= "'".mvjoin(INCID, "','")."'"
| map search="| dbxquery query=\"select \\"Emp Number\\",\\"Description\\"
FROM
BIA_BA_EUL.\\"View Emp Helpdesk\\" WHERE \\"Emp Number\\" IN ($EMPID$) \"
connection=\"NTZ-SVC-PR1\"",null())
| table search]

0 Karma

Builder

Hi @manunairadavakkat What version of Splunk are you running? Can you repost that query in the code sample box so it doesn't escape some of the special characters? You can do that by hitting Ctrl + K on your key board or clicking the button that has 101010 in the comment GUI.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma