Query return value if NULL event

obiwan1129 · ‎11-17-2017

I have a query I'm working on where not all the values I feed it are in the index I am querying against.

For example suppose I have two emails, lrhg@gmail.com and charlie.brown@peanuts.com

index=windows sourcetype=ActiveDirectory lrhg@gmail.com OR charlie.brown@peanuts.com | dedup name

Currently only charlie.brown@peanuts.com is in the index. As a result I only return the Event for charlie.brown@peanuts.com.

I'd like to have my query return two records for lrhg@gmail.com and charlie.brown@peanuts.com even if there are no results for lrhg@gmail.com. Something where the event is essentially blank except for the lrhg@gmail.com value

Any thoughts out there?

DalJeanis · ‎11-17-2017

Use append to add a blank record for each. Look at the makeresults command for one each way to do it.

index=windows sourcetype=ActiveDirectory lrhg@gmail.com OR charlie.brown@peanuts.com 
| append [
    | makeresults 
    | eval name="lrhg@gmail.com charlie.brown@peanuts.com" 
    | makemv name 
    | mvexpand name 
    | table name
    ]
| dedup name

Query return value if NULL event

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Query return value if NULL event

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25