Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

return command - exit (or return known value) if no results found

thewer
Explorer
‎05-31-2013 01:08 AM

I have a search that is basically (there are actually 2 sub searches, but this makes it easier to understand):

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | return 50 $custsession ]

This normally returns the weblogs that contain any of the customer sessions where the customers complained (ie: find what the complaining customer actually did on the site). However when there are no results in "custcomplaintlogs" over the last day it returns EVERYTHING from "weblogs". If there is something in "custcomplaintlogs" it will give the weblogs for the customers session only.

How can I stop it returning everything if the subsearch has no results. I want to either exit, or return something that will match nothing in the weblogs.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎05-31-2013 01:06 PM

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

View solution in original post

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-14-2017 07:29 AM

Would probably be better if you did this instead:

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession=if(isnull(custsession,"null",custsession) | fields custsession]| return 50 $custsession ]

or

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | fillnull custsession | fields custsession]| return 50 $custsession ]

0 Karma
Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎05-31-2013 01:06 PM

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

Reply
Solved! Jump to solution

cramasta
Builder
‎06-04-2013 06:51 AM

Yeah forgot an additional end bracket at the end of the fields command. I updated the post.

0 Karma
Reply
Solved! Jump to solution

unchura
Explorer
‎12-14-2016 11:57 AM

thanks! it worked by eval new row with 0 value and put it at the and of the resulting table, requesting "head 1". Then if the search is empty then only that last 0 come that I can take within the rest of the code.

i.e 

index="myIndex" | where pString = "xyz" | append [ | stats count | fields - count | eval pString = 0  ] | eval recs=if(pString=0,0,1) | sort recs DESC | head 1 | table pString
0 Karma
Reply
Solved! Jump to solution

thewer
Explorer
‎06-03-2013 11:53 PM

Not sure if that syntax is quite correct, but the idea works and I cant find anything better - thanks cramasta!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...