Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Subsearch returning results before it is completed??

C_Sparn
Communicator
‎08-01-2014 05:10 AM

Hello,

I have a problem with a subsearch in which I try to filter the results of the main search. The search looks like this:

index = any sourcetype = log
[search index = any sourcetype = log
|eval user = "ANU"
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]

The problem is now that the subsearch returns more than one value. So if the user is not like ANO the search is sending 30 emails instead of just one and also "stats count by UserId" is set in the main search mor than one time. I think that the if clause causes that problem.Is ist possible to end the subsearch after one result or just return values after the complete subsearch is completed?
Greetings

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-04-2014 05:54 AM

Try something like this

index = any sourcetype = log
[|gentimes start=-1
|eval user = [subsearch that returns one user]
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]

Updated:

|gentimes start=-1  |eval user = [subsearch that returns one user]
|eval postprocess = if( user LIKE "ANO" OR user LIKE "ANA",1,2)
| map maxsearches=1 search="search index = any sourcetype = log | where 1=$postprocess$ | sendemail......" | stats count | map maxsearches=1 search="search index = any sourcetype = log | where 2=$postprocess$ |stats count by UserId

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-04-2014 05:54 AM

Try something like this

index = any sourcetype = log
[|gentimes start=-1
|eval user = [subsearch that returns one user]
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]

Updated:

|gentimes start=-1  |eval user = [subsearch that returns one user]
|eval postprocess = if( user LIKE "ANO" OR user LIKE "ANA",1,2)
| map maxsearches=1 search="search index = any sourcetype = log | where 1=$postprocess$ | sendemail......" | stats count | map maxsearches=1 search="search index = any sourcetype = log | where 2=$postprocess$ |stats count by UserId
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎08-10-2014 11:56 PM

With your advice to use map I found a solution that works for me.

index = any sourcetype = log
[search index = any sourcetype = log
|eval user = [subsearch that returns one user]
|eval test = if(user LIKE "ANO" OR user LIKE "ANA","True","False")
|stats values(test) as test values(user) as user
|where test == "False"
|map maxsearches=1 search="search index = any sourcetype = log |sendemail..."
|return $user]
|stats count by UserId

So this code is a workaround for a if-else clause with commands like:

if{|stats...}
else{|sendemail... OR |stats...}

Greetings

Reply
Solved! Jump to solution

C_Sparn
Communicator
‎08-06-2014 01:47 AM

Hello I tested your updated but there is another problem now. Using 2 map commands is a nice idea, but the where clause is not working. If $postprocess$ = 2 it should not send an email, but it is sending, because the where clause just limits the results to null in first map and the email is sent with the message "No results".

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-05-2014 07:02 AM

What you're trying to do is a conditional branching of search execution which may not be possible in Splunk. However, give the updated answer a try.

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎08-04-2014 10:57 PM

Yes it is still sending multiple emails. Is it possible that the main search is forcing the subsearch to run multiple times while proceeding?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-04-2014 06:37 AM

So, its still sending multiple emails/stats gets set multiple time with gentimes?

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎08-04-2014 06:08 AM

Hello,

I tried with gentimes, but there was no effect sorry.

Greetings

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎08-04-2014 03:22 AM

Hello, sorry you are right! The eval sould be |eval user = [subsearch that returns one user]. I check in subsearch if the user is "ANA" or "ANO". After testing, the eval user should have a string like "|stats count by UserId". This string is then returnd to the main search to manipulate it. The problem is now that the subsearch is returning more than 1 value. So if "|sendemail.." is returned,it is returned very often and more than 1 email will be sent.Is it possible to force splunk to end the subsearch after one value or just go on with the main search after the subsearch is completed?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-01-2014 06:43 AM

In subsearch,you have this '|eval user="ANU"'. Now each row will have user=ANU and you if condition becomes dead code. Could you provide more details on what you want to achieve here?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...