Splunk Search
Highlighted

return command - exit (or return known value) if no results found

Explorer

I have a search that is basically (there are actually 2 sub searches, but this makes it easier to understand):

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | return 50 $custsession ]

This normally returns the weblogs that contain any of the customer sessions where the customers complained (ie: find what the complaining customer actually did on the site). However when there are no results in "custcomplaintlogs" over the last day it returns EVERYTHING from "weblogs". If there is something in "custcomplaintlogs" it will give the weblogs for the customers session only.

How can I stop it returning everything if the subsearch has no results. I want to either exit, or return something that will match nothing in the weblogs.

Tags (2)
Highlighted

Re: return command - exit (or return known value) if no results found

Builder

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

View solution in original post

Highlighted

Re: return command - exit (or return known value) if no results found

Explorer

Not sure if that syntax is quite correct, but the idea works and I cant find anything better - thanks cramasta!

0 Karma
Highlighted

Re: return command - exit (or return known value) if no results found

Builder

Yeah forgot an additional end bracket at the end of the fields command. I updated the post.

0 Karma
Highlighted

Re: return command - exit (or return known value) if no results found

Explorer

thanks! it worked by eval new row with 0 value and put it at the and of the resulting table, requesting "head 1". Then if the search is empty then only that last 0 come that I can take within the rest of the code.

i.e

index="myIndex" | where pString = "xyz" | append [ | stats count | fields - count | eval pString = 0  ] | eval recs=if(pString=0,0,1) | sort recs DESC | head 1 | table pString
0 Karma
Highlighted

Re: return command - exit (or return known value) if no results found

SplunkTrust
SplunkTrust

Would probably be better if you did this instead:

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession=if(isnull(custsession,"null",custsession) | fields custsession]| return 50 $custsession ]

or

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | fillnull custsession | fields custsession]| return 50 $custsession ]

0 Karma