Hello,
I have a problem with a subsearch in which I try to filter the results of the main search. The search looks like this:
index = any sourcetype = log
[search index = any sourcetype = log
|eval user = "ANU"
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]
The problem is now that the subsearch returns more than one value. So if the user is not like ANO the search is sending 30 emails instead of just one and also "stats count by UserId" is set in the main search mor than one time. I think that the if clause causes that problem.Is ist possible to end the subsearch after one result or just return values after the complete subsearch is completed?
Greetings
Try something like this
index = any sourcetype = log
[|gentimes start=-1
|eval user = [subsearch that returns one user]
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]
Updated:
|gentimes start=-1 |eval user = [subsearch that returns one user]
|eval postprocess = if( user LIKE "ANO" OR user LIKE "ANA",1,2)
| map maxsearches=1 search="search index = any sourcetype = log | where 1=$postprocess$ | sendemail......" | stats count | map maxsearches=1 search="search index = any sourcetype = log | where 2=$postprocess$ |stats count by UserId
Try something like this
index = any sourcetype = log
[|gentimes start=-1
|eval user = [subsearch that returns one user]
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]
Updated:
|gentimes start=-1 |eval user = [subsearch that returns one user]
|eval postprocess = if( user LIKE "ANO" OR user LIKE "ANA",1,2)
| map maxsearches=1 search="search index = any sourcetype = log | where 1=$postprocess$ | sendemail......" | stats count | map maxsearches=1 search="search index = any sourcetype = log | where 2=$postprocess$ |stats count by UserId
With your advice to use map I found a solution that works for me.
index = any sourcetype = log
[search index = any sourcetype = log
|eval user = [subsearch that returns one user]
|eval test = if(user LIKE "ANO" OR user LIKE "ANA","True","False")
|stats values(test) as test values(user) as user
|where test == "False"
|map maxsearches=1 search="search index = any sourcetype = log |sendemail..."
|return $user]
|stats count by UserId
So this code is a workaround for a if-else clause with commands like:
if{|stats...}
else{|sendemail... OR |stats...}
Greetings
Hello I tested your updated but there is another problem now. Using 2 map commands is a nice idea, but the where clause is not working. If $postprocess$ = 2 it should not send an email, but it is sending, because the where clause just limits the results to null in first map and the email is sent with the message "No results".
What you're trying to do is a conditional branching of search execution which may not be possible in Splunk. However, give the updated answer a try.
Yes it is still sending multiple emails. Is it possible that the main search is forcing the subsearch to run multiple times while proceeding?
So, its still sending multiple emails/stats gets set multiple time with gentimes?
Hello,
I tried with gentimes, but there was no effect sorry.
Greetings
Hello, sorry you are right! The eval sould be |eval user = [subsearch that returns one user]. I check in subsearch if the user is "ANA" or "ANO". After testing, the eval user should have a string like "|stats count by UserId". This string is then returnd to the main search to manipulate it. The problem is now that the subsearch is returning more than 1 value. So if "|sendemail.." is returned,it is returned very often and more than 1 email will be sent.Is it possible to force splunk to end the subsearch after one value or just go on with the main search after the subsearch is completed?
In subsearch,you have this '|eval user="ANU"'. Now each row will have user=ANU and you if condition becomes dead code. Could you provide more details on what you want to achieve here?