Splunk Search

return command - exit (or return known value) if no results found

thewer
Explorer

I have a search that is basically (there are actually 2 sub searches, but this makes it easier to understand):

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | return 50 $custsession ]

This normally returns the weblogs that contain any of the customer sessions where the customers complained (ie: find what the complaining customer actually did on the site). However when there are no results in "custcomplaintlogs" over the last day it returns EVERYTHING from "weblogs". If there is something in "custcomplaintlogs" it will give the weblogs for the customers session only.

How can I stop it returning everything if the subsearch has no results. I want to either exit, or return something that will match nothing in the weblogs.

Tags (2)
1 Solution

cramasta
Builder

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Would probably be better if you did this instead:

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession=if(isnull(custsession,"null",custsession) | fields custsession]| return 50 $custsession ]

or

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | fillnull custsession | fields custsession]| return 50 $custsession ]

0 Karma

cramasta
Builder

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

cramasta
Builder

Yeah forgot an additional end bracket at the end of the fields command. I updated the post.

0 Karma

unchura
Explorer

thanks! it worked by eval new row with 0 value and put it at the and of the resulting table, requesting "head 1". Then if the search is empty then only that last 0 come that I can take within the rest of the code.

i.e

index="myIndex" | where pString = "xyz" | append [ | stats count | fields - count | eval pString = 0  ] | eval recs=if(pString=0,0,1) | sort recs DESC | head 1 | table pString
0 Karma

thewer
Explorer

Not sure if that syntax is quite correct, but the idea works and I cant find anything better - thanks cramasta!

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...