Hi all,

I have a Splunk index with records of the following format:

• recordIndex - an integer key I automatically assign to this record upon insert
• recordName - name of the record
• recordComment - comment

(I temporarily use the recordIndex because both other fields consist of wildcards and it allows me to edit/delete them more easily. Later on, this index will be transfered to relational DB).

When I want to add a record to this index, I look for the largest recordIndex exists, add 1 to it, and use it for the new record. I use the following (simplified) search code:

index=myindex | sort -num(recordIndex) | head 1 | eval recordIndex=recordIndex+1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex

However, there is a corner case where the index is empty. For this case only, I could use the following search:
index=_internal | head 1 | eval recordIndex=1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex

My question is how to "combine" these 2 searches so they could work together in all cases.

Thanks,
Ori.