Re: Query return value if NULL event

obiwan1129 · ‎11-17-2017

I have a query I'm working on where not all the values I feed it are in the index I am querying against.

For example suppose I have two emails, lrhg@gmail.com and charlie.brown@peanuts.com

index=windows sourcetype=ActiveDirectory lrhg@gmail.com OR charlie.brown@peanuts.com | dedup name

Currently only charlie.brown@peanuts.com is in the index. As a result I only return the Event for charlie.brown@peanuts.com.

I'd like to have my query return two records for lrhg@gmail.com and charlie.brown@peanuts.com even if there are no results for lrhg@gmail.com. Something where the event is essentially blank except for the lrhg@gmail.com value

Any thoughts out there?

DalJeanis · ‎11-17-2017

Use append to add a blank record for each. Look at the makeresults command for one each way to do it.

index=windows sourcetype=ActiveDirectory lrhg@gmail.com OR charlie.brown@peanuts.com 
| append [
    | makeresults 
    | eval name="lrhg@gmail.com charlie.brown@peanuts.com" 
    | makemv name 
    | mvexpand name 
    | table name
    ]
| dedup name

Query return value if NULL event

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience

Join the Conversation

Query return value if NULL event

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience