Splunk Search

How to create event if no results are returned?

Gian89
Explorer

Hello Community,

I have quite a strange issue to face...
For a project I'm working on, I would need to create a new case if the search returns no events.
I've tried to create a dummy example to make myself clear:

| makeresults 
| eval letter1="A", letter2="B", letter3="C"
| append
    [| makeresults
    | eval letter1="D", letter2="E", letter3="F"]
| search letter1="K"
| appendpipe
    [| ??ifnotresults??
    | append
        [| makeresults
        | eval letter1="X", letter2="Y", letter3="Z"]
    | where false() ]
| table letter1 letter2 letter3

 

In particular, I have no idea how to evaluate the ??ifnotresults??  part.

Do you think it is possible to achieve this?

Thanks in advance for your kind support

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Test for results using stats count and where count=0 within the appendpipe.

| makeresults 
| eval letter1="A", letter2="B", letter3="C" 
| append 
    [| makeresults 
    | eval letter1="D", letter2="E", letter3="F"] 
| search letter1="K"
| appendpipe 
    [ stats count
    | eval letter1="X", letter2="Y", letter3="Z"
    | where count=0
    | fields - count ] 
| table letter1 letter2 letter3

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Test for results using stats count and where count=0 within the appendpipe.

| makeresults 
| eval letter1="A", letter2="B", letter3="C" 
| append 
    [| makeresults 
    | eval letter1="D", letter2="E", letter3="F"] 
| search letter1="K"
| appendpipe 
    [ stats count
    | eval letter1="X", letter2="Y", letter3="Z"
    | where count=0
    | fields - count ] 
| table letter1 letter2 letter3

 

---
If this reply helps you, Karma would be appreciated.

gcusello
SplunkTrust
SplunkTrust

@Gian89,

let me understand:

  • you have many events from e.g. a list of hosts and you want to have a message when there isn't any result e.g. from one of those hosts, is it correct?

If this is your situation, you have three choices:

  • if you have only one check to perform (e.g. only one host),
  • if you have few checks to perform (e.g. few hosts to check),
  • if you have many ckecks to perform (e.g. many hosts to check).

in the first case you have to run a simple search and generate an alert if there isn't any result

| makeresults index=_internal host=your_host

in the second case, you have to run a simple search like this:

| metasearch index=_internal hostIN (host1, host2,host3)
| stats count BY host
| append [ | makeresults | eval host=host1, count=0 | fields host count ]
| append [ | makeresults | eval host=host2, count=0 | fields host count ]
| append [ | makeresults | eval host=host3, count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In the third case, you have to creat e a lookup (called e.g. perimeter.csv) containing the list of objects to search (e.g. host) and run something like this:

| metasearch index=_internal hostIN (host1, host2,host3)
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Gian89
Explorer

Ciao Giuseppe,

thanks for your answer but it was not what I was looking for. The answer from richgalloway is what I was looking for 🙂 

Thanks anyway for your feedback! 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Gian89,

the most important thingi is that you solved your need.

We created an italian Splunk User Group, we didn't still have any event but we're organizing.

See next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...