Solved: Can a search be terminated prematurely based on a ...

Lowell · ‎07-08-2010

Is there a kind of conditional search command that can be used to stop or prematurely terminate a search based on a given condition?

For example, I want to send an email only if a certain condition is matched. For example, say I had a search setup something like this:

... | stats count | eval should_alert=if(count>5,"t","f") | continueif should_alert | sendemail to="user@domain" subject="My email subject..."

In this made up example, the continueif search command would prevent the sendemail search command from ever being invoked by the search unless the "should_alert" field was true.

I'm looking for some kind of search command (or set of search commands) to give me a continueif-like functionality. I realize that this is generally handled via alerting conditions with a saved search, but I'm wondering if this is possible to do purely from within the search language without relying on the features of the scheduler.

It seems like it may be possible to do something like this with a custom search script, however, the more I think about this the more unsure I am. I know a search could simply return an empty data set, that's easy, but that empty data set is simply passed on the next search command, so that doesn't really work. The search is not terminated by it. I suppose instead some kind of exception could be raised by a search script which would terminate the search, but I'm guessing that approach would cause other issues--at the very least, it would create extra log messages about a failed search. I guess it may also be possible to make a REST call from within the script and terminate your own search job, but that seems like a really bad idea too.

Stephen_Sorkin · ‎07-08-2010

The search language doesn't contain branching logic like this. We'd rather rely on general purpose languages (like python or Java) to provide higher-order behavior like this. I'd suggest using the python SDK to run the search, check the condition and take action (using the already run job).

As an aside, there's an argument to the head command to stop fetching earlier events after some boolean predicate is satisfied, but that's a different case.

View solution in original post

sideview · ‎07-08-2010

Im probably going to hell for mentioning this at all, but we have a looping structure in the map command:

http://www.splunk.com/base/Documentation/latest/SearchReference/Map

make a meaningless single row search result, with something like | stats count or * | head 1
pipe to the map command
specify the maxsearches argument to the map comment, but populate its value with either 1 or 0 based on a value in a subsearch.
specify the search argument to map, as the search you actually want to run conditionally:

search="search foo | sendemail"

I await my own fiery death. Probably whether this works or not. 😃

Stephen_Sorkin · ‎07-08-2010

The search language doesn't contain branching logic like this. We'd rather rely on general purpose languages (like python or Java) to provide higher-order behavior like this. I'd suggest using the python SDK to run the search, check the condition and take action (using the already run job).

As an aside, there's an argument to the head command to stop fetching earlier events after some boolean predicate is satisfied, but that's a different case.

Can a search be terminated prematurely based on a condition established within that search?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk