Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Searcing with empty index

omend
Path Finder
‎07-16-2013 11:28 PM

Hi all,

I have a Splunk index with records of the following format:

  • recordIndex - an integer key I automatically assign to this record upon insert
  • recordName - name of the record
  • recordComment - comment

(I temporarily use the recordIndex because both other fields consist of wildcards and it allows me to edit/delete them more easily. Later on, this index will be transfered to relational DB).

When I want to add a record to this index, I look for the largest recordIndex exists, add 1 to it, and use it for the new record. I use the following (simplified) search code:

index=myindex | sort -num(recordIndex) | head 1 | eval recordIndex=recordIndex+1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex

However, there is a corner case where the index is empty. For this case only, I could use the following search:
index=_internal | head 1 | eval recordIndex=1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex

My question is how to "combine" these 2 searches so they could work together in all cases.

Thanks,
Ori.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

omend
Path Finder
‎07-17-2013 01:25 AM

I solved this by using the append function:

index=myindex | table recordIndex | sort -num(recordIndex) | head 1 | append [search index=_internal | head 1] | eval recordIndex=if(recordIndex>0,recordIndex+1,1) | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | sort -recordIndex | head 1 | collect index=myindex

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

omend
Path Finder
‎07-17-2013 01:25 AM

I solved this by using the append function:

index=myindex | table recordIndex | sort -num(recordIndex) | head 1 | append [search index=_internal | head 1] | eval recordIndex=if(recordIndex>0,recordIndex+1,1) | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | sort -recordIndex | head 1 | collect index=myindex

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...