Query return value if NULL event - Splunk Community

Splunk Search

I have a query I'm working on where not all the values I feed it are in the index I am querying against.

For example suppose I have two emails, [email protected] and [email protected]

index=windows sourcetype=ActiveDirectory [email protected] OR [email protected] | dedup name

Currently only [email protected] is in the index. As a result I only return the Event for [email protected].

I'd like to have my query return two records for [email protected] and [email protected] even if there are no results for [email protected]. Something where the event is essentially blank except for the [email protected] value

Any thoughts out there?

Use append to add a blank record for each. Look at the makeresults command for one each way to do it.

index=windows sourcetype=ActiveDirectory [email protected] OR [email protected] 
| append [
    | makeresults 
    | eval name="[email protected] [email protected]" 
    | makemv name 
    | mvexpand name 
    | table name
    ]
| dedup name

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...