Hi all,
I have a Splunk index with records of the following format:
- recordIndex - an integer key I automatically assign to this record upon insert
- recordName - name of the record
- recordComment - comment
(I temporarily use the recordIndex because both other fields consist of wildcards and it allows me to edit/delete them more easily. Later on, this index will be transfered to relational DB).
When I want to add a record to this index, I look for the largest recordIndex exists, add 1 to it, and use it for the new record. I use the following (simplified) search code:
index=myindex | sort -num(recordIndex) | head 1 | eval recordIndex=recordIndex+1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex
However, there is a corner case where the index is empty. For this case only, I could use the following search:
index=_internal | head 1 | eval recordIndex=1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex
My question is how to "combine" these 2 searches so they could work together in all cases.
Thanks,
Ori.
