Hi everyone, I'm kind of stuck here and need the help of people that have more knowledge than me :). Currently I have build a (rather) advanced search of which the result is basicly a report of that passed some validation rules. To keep it simple the result of the search will tell the end-users which orders they need to reapply because of missing data. The plan is to schedule this report daily and send the list of incorrect orders to the correct people. However there are some requests in how this information should be visible. For this I have been looking in to the reporting module, to give access to the report URL and provide the results. Main issue with this is that reports will always run and send an alert even when there are no results. I'm looking for a way to make it so that the email of the report is not being when there are no results. Is this in any way possible? I know this can be achieved via an alert, which can also contain a link to the results of the alert. The main issue with this solution is that the search head becomes visible when redirecting to this link. Since people will be accessing the results that do not have a lot of Splunk knowledge themselves, I don't want them to have any insights in the search or be able to change anything in the results. Since this will just cause confusion. Would this be possible to achieve via a custom python script? And if so, is there any standard available? Or are there "better" ways to do so? ... View more

Hi Everyone, So I'll try and make this as clear as possible, but it's quite hard to explain it in depth. What I'm trying to do is map a certain numeric field value called "ordernumber" to a lookup file (for example 10). This lookup file contains a start range and stop range (for example 1-100) to identify which orders belong to which suppliers. A supplier will fill an unique order number in everytime it sends the order. Basicly it's described in this topic before: https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-lookup-from-a-range-of-values/m-p/423288   To make this work I used the following command: | map search="| inputlookup supplier_range.csv | search To > $Ordernumber$ AND From < $Ordernumber$ |eval Ordernumber=\"$Ordernumber$\", details=\"$details$\", Matnumber=\"$matnumber$\" " maxsearches=1000000000000 However, now I have one issue, which is the following. Currently, not all possible ordernumber ranges are completely defined and suppliers sometimes make typo's when filling in the forms. In this case, I want to keep the events containing the "wrong"  number and just return an empty result for supplier name, which will be retrieved from the look-up file. I tried performing an if statement, but can't seem to get it to work. Then it does not return any results anymore. "| eval name=if(To > $ $Ordernumber$ AND From < $Ordernumber$, "Name", EMPTY)"   I'm kinda stuck on this one. Is this even doable via a map command or should I be using any other form of command? And how?   In case I need to clarify anything please let me know. Kind regards, ... View more