Splunk Search

How to suppress search results when a certain condition is met?

jmoeller
New Member

I need help with a very basic search concept. I need a way to suppress search results if a certain condition is met. I have a CSV file (file.csv)

Maint
YES

I need the exact search that would follow this basic logic...

   index=* (whatever the search)  look at file.csv  If Maint="YES" ensure  search returns nothing, otherwise return as normal

Please provide actual working search (I have tried many ways and I am sure I am missing something small, I am not familiar enough with the searches to fix minor issues)

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@jmoeller,

Here is what I tried and working

  1. Created a csv with just column name as Maint and value as Yes
  2. Added the file as a lookup table from Lookups » Lookup table files
  3. Created a lookup definition from Lookups » Lookup definitions » maint
  4. Executed below search and gives me the result

    index=_internal|stats count by sourcetype
    | appendcols [| inputlookup maint]
    | filldown Maint
    

    alt text

And below no result

index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
| where Maint!="Yes"

Try if this works for your environment

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jmoeller,

Here is what I tried and working

  1. Created a csv with just column name as Maint and value as Yes
  2. Added the file as a lookup table from Lookups » Lookup table files
  3. Created a lookup definition from Lookups » Lookup definitions » maint
  4. Executed below search and gives me the result

    index=_internal|stats count by sourcetype
    | appendcols [| inputlookup maint]
    | filldown Maint
    

    alt text

And below no result

index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
| where Maint!="Yes"

Try if this works for your environment

Happy Splunking!
0 Karma

jmoeller
New Member

Thank you! It is working and I will mark it as answered because it does exactly what I asked. However, my oversimplification has created a new "problem". My csv actually has additional columns. When I run your suggestion, I get the results of the original query but I also get the additional columns from my csv (to the right of the results). You would not have seen that because you followed my question, this is my fault. If you add an additional column to your cvs, you should see the same. Are you aware of an easy way to remove the extra columns?

Thanks again,
Jonathan

0 Karma

jmoeller
New Member

Actually, I spoke too soon. It works with a query involving statistics but if you remove "| stats count by sourcetype", you receive and error "Error in appendcols' command.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi Jonathan(@jmoeller),

No worries,you could use append also. I now have three columns in the csv and just selected Maint by using fields. Try this and let me know if it works for you as well.

index=_internal|append [| inputlookup Maint|fields Maint]|reverse|filldown Maint|reverse|where Maint!="Yes"
Happy Splunking!
0 Karma

jmoeller
New Member

Thanks again. It is working but there is still a minor issue. When I use the search above, it "appends" a blank event at the bottom of the list. Since we are using this for alerting, a simplified search would be...

EventCode=1000

The alert would trigger if there is a record returned, thus the issue.

You should see it if you just modify your example to and index that doesn't exist. You should see a singe event returned rather than zero.

Thanks, again for all of your help. If we can get rid of the extra event, I am golden.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi Jonathan(@jmoeller),

Thanks for highlighting it. You could just filter it out by adding |where _raw!="" at the end of the search. Its purely depends on your search results. If you have just events returned , then above should work and if you have some fields displayed , for e.g. table field1,field2 then you could add the condition based on the field also. Let me know how it goes.

Thanks!

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...