Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to implement a Splunk query that is based on if the other Splunk query result exist or not

winstonwcheney
Loves-to-Learn
‎03-31-2022 10:53 AM

Hello, 

I am trying to develop a splunk query.  But the query that needs to be run is based on another SPlunk query return empty result. 

what command I can use? 

 

thank you

 

Labels (1)
Labels
0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:25 AM

Thank you.  But this method seems not working, even my second search count =1, the first search still return result. 

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:18 AM

Thank you, this method seems not working. Although second search count =1, it still get result for first search.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:24 AM

Which order have you put the searches - the first search should be the one which you are checking for zero results, the second search is the one you run if there are no results from the first search

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:28 AM

Yes. But the result always return result for first search. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:32 AM

So the first search returns a result, which according to your requirement means the second search should not run, which it doesn't. Isn't this what you asked for?

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:34 AM

I mean, even first search return 0 result, the second still does not return expected result. 

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:37 AM

The requirement is to see result of second query result. If first search result count = 1, we don't want to see any result. If first search result count =0, we want to see second search result but not first search result.

0 Karma
Reply

winstonwcheney
Loves-to-Learn
‎03-31-2022 11:30 AM

And even first search return count =0, second search also return empty result. I want second search return information as expected

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:37 AM

Can you share your search to see if something else is going on to explain this behaviour?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 11:09 AM

You might be able to use appendpipe.

first search ...
| appendpipe
  [| stats count
   | where count=0
   | second search]
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...