Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to implement a Splunk query that is based on if the other Splunk query result exist or not

winstonwcheney
Loves-to-Learn
‎03-31-2022 10:53 AM

Hello, 

I am trying to develop a splunk query.  But the query that needs to be run is based on another SPlunk query return empty result. 

what command I can use? 

 

thank you

 

Labels (1)
Labels
0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:25 AM

Thank you.  But this method seems not working, even my second search count =1, the first search still return result. 

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:18 AM

Thank you, this method seems not working. Although second search count =1, it still get result for first search.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:24 AM

Which order have you put the searches - the first search should be the one which you are checking for zero results, the second search is the one you run if there are no results from the first search

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:28 AM

Yes. But the result always return result for first search. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:32 AM

So the first search returns a result, which according to your requirement means the second search should not run, which it doesn't. Isn't this what you asked for?

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:34 AM

I mean, even first search return 0 result, the second still does not return expected result. 

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:37 AM

The requirement is to see result of second query result. If first search result count = 1, we don't want to see any result. If first search result count =0, we want to see second search result but not first search result.

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:30 AM

And even first search return count =0, second search also return empty result. I want second search return information as expected

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:37 AM

Can you share your search to see if something else is going on to explain this behaviour?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:09 AM

You might be able to use appendpipe.

first search ...
| appendpipe
  [| stats count
   | where count=0
   | second search]
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...