Splunk Search

Help with putting a conditional in my search

a212830
Champion

Hi,

Someone was kind enough to help me with this yesterday: link text

And it worked fine, until I realized that there will be times when the base search does not return any events. I'd like to add some logic to only run the dbxquery if the base search returns one event. Is there a way to do that?

Here's the query:

index=main sourcetype=ampData_source 
 | fields BATCHSEQUENCE 
 | dedup BATCHSEQUENCE 
 | sort 0 - BATCHSEQUENCE 
 | head 1
 | table BATCHSEQUENCE | map search="| dbxquery query=\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\" connection=\"ERPM\"" maxsearches=1
0 Karma

dmarling
Builder

If you are truly not getting any base events to pass the token to the mapped dbxquery, then it should just fail the search with an error "Error in 'map': Did not find value for required attribute 'BATCHSEQUENCE'." If your goal is not have that error at all then this can accomplish that:

[| makeresults count=1 
    | eval search=if( 
        [ search index=main sourcetype=ampData_source 
        | fields BATCHSEQUENCE 
        | dedup BATCHSEQUENCE 
        | sort 0 - BATCHSEQUENCE 
        | head 1 
        | stats count 
        | return $count]>0, "index=main sourcetype=ampData_source 
| fields BATCHSEQUENCE 
| dedup BATCHSEQUENCE 
| sort 0 - BATCHSEQUENCE 
| head 1
| table BATCHSEQUENCE 
| map search=\"| dbxquery query=\\\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\\\" connection=\\\"ERPM\\\"\" maxsearches=1", null()) 
    | table search]

You will now just get no results instead of an error.

If this comment/answer was helpful, please up vote it. Thank you.

manunairadavakk
Path Finder

@dmarling

I was trying the above solution, but getting the error Unknown search command '0'.
My query is:

[| makeresults count=1
|eval search=if(
[search index="ass_main" host=pr CASE(4333)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| sort 0 - EMPID
| head 1
| stats count
| return $count]>0,"index="ass_main" host=pr CASE(433)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| stats values(EMPID) as EMPID
| eval EMPID= "'".mvjoin(INCID, "','")."'"
| map search="| dbxquery query=\"select \\"Emp Number\\",\\"Description\\"
FROM
BIA_BA_EUL.\\"View Emp Helpdesk\\" WHERE \\"Emp Number\\" IN ($EMPID$) \"
connection=\"NTZ-SVC-PR1\"",null())
| table search]

0 Karma

dmarling
Builder

Hi @manunairadavakkat What version of Splunk are you running? Can you repost that query in the code sample box so it doesn't escape some of the special characters? You can do that by hitting Ctrl + K on your key board or clicking the button that has 101010 in the comment GUI.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...