Splunk Search

Subsearch returning results before it is completed??

C_Sparn
Communicator

Hello,

I have a problem with a subsearch in which I try to filter the results of the main search. The search looks like this:

index = any sourcetype = log
[search index = any sourcetype = log
|eval user = "ANU"
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]

The problem is now that the subsearch returns more than one value. So if the user is not like ANO the search is sending 30 emails instead of just one and also "stats count by UserId" is set in the main search mor than one time. I think that the if clause causes that problem.Is ist possible to end the subsearch after one result or just return values after the complete subsearch is completed?
Greetings

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index = any sourcetype = log
[|gentimes start=-1
|eval user = [subsearch that returns one user]
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]

Updated:

|gentimes start=-1  |eval user = [subsearch that returns one user]
|eval postprocess = if( user LIKE "ANO" OR user LIKE "ANA",1,2)
| map maxsearches=1 search="search index = any sourcetype = log | where 1=$postprocess$ | sendemail......" | stats count | map maxsearches=1 search="search index = any sourcetype = log | where 2=$postprocess$ |stats count by UserId

View solution in original post

somesoni2
Revered Legend

Try something like this

index = any sourcetype = log
[|gentimes start=-1
|eval user = [subsearch that returns one user]
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]

Updated:

|gentimes start=-1  |eval user = [subsearch that returns one user]
|eval postprocess = if( user LIKE "ANO" OR user LIKE "ANA",1,2)
| map maxsearches=1 search="search index = any sourcetype = log | where 1=$postprocess$ | sendemail......" | stats count | map maxsearches=1 search="search index = any sourcetype = log | where 2=$postprocess$ |stats count by UserId

C_Sparn
Communicator

With your advice to use map I found a solution that works for me.

index = any sourcetype = log
[search index = any sourcetype = log
|eval user = [subsearch that returns one user]
|eval test = if(user LIKE "ANO" OR user LIKE "ANA","True","False")
|stats values(test) as test values(user) as user
|where test == "False"
|map maxsearches=1 search="search index = any sourcetype = log |sendemail..."
|return $user]
|stats count by UserId

So this code is a workaround for a if-else clause with commands like:

if{|stats...}
else{|sendemail... OR |stats...}

Greetings

C_Sparn
Communicator

Hello I tested your updated but there is another problem now. Using 2 map commands is a nice idea, but the where clause is not working. If $postprocess$ = 2 it should not send an email, but it is sending, because the where clause just limits the results to null in first map and the email is sent with the message "No results".

0 Karma

somesoni2
Revered Legend

What you're trying to do is a conditional branching of search execution which may not be possible in Splunk. However, give the updated answer a try.

0 Karma

C_Sparn
Communicator

Yes it is still sending multiple emails. Is it possible that the main search is forcing the subsearch to run multiple times while proceeding?

0 Karma

somesoni2
Revered Legend

So, its still sending multiple emails/stats gets set multiple time with gentimes?

0 Karma

C_Sparn
Communicator

Hello,

I tried with gentimes, but there was no effect sorry.

Greetings

0 Karma

C_Sparn
Communicator

Hello, sorry you are right! The eval sould be |eval user = [subsearch that returns one user]. I check in subsearch if the user is "ANA" or "ANO". After testing, the eval user should have a string like "|stats count by UserId". This string is then returnd to the main search to manipulate it. The problem is now that the subsearch is returning more than 1 value. So if "|sendemail.." is returned,it is returned very often and more than 1 email will be sent.Is it possible to force splunk to end the subsearch after one value or just go on with the main search after the subsearch is completed?

0 Karma

somesoni2
Revered Legend

In subsearch,you have this '|eval user="ANU"'. Now each row will have user=ANU and you if condition becomes dead code. Could you provide more details on what you want to achieve here?

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...