- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with putting a conditional in my search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with putting a conditional in my search
Hi,
Someone was kind enough to help me with this yesterday: link text
And it worked fine, until I realized that there will be times when the base search does not return any events. I'd like to add some logic to only run the dbxquery if the base search returns one event. Is there a way to do that?
Here's the query:
index=main sourcetype=ampData_source
| fields BATCHSEQUENCE
| dedup BATCHSEQUENCE
| sort 0 - BATCHSEQUENCE
| head 1
| table BATCHSEQUENCE | map search="| dbxquery query=\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\" connection=\"ERPM\"" maxsearches=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are truly not getting any base events to pass the token to the mapped dbxquery, then it should just fail the search with an error "Error in 'map': Did not find value for required attribute 'BATCHSEQUENCE'." If your goal is not have that error at all then this can accomplish that:
[| makeresults count=1
| eval search=if(
[ search index=main sourcetype=ampData_source
| fields BATCHSEQUENCE
| dedup BATCHSEQUENCE
| sort 0 - BATCHSEQUENCE
| head 1
| stats count
| return $count]>0, "index=main sourcetype=ampData_source
| fields BATCHSEQUENCE
| dedup BATCHSEQUENCE
| sort 0 - BATCHSEQUENCE
| head 1
| table BATCHSEQUENCE
| map search=\"| dbxquery query=\\\"SELECT analyticsutil.closeBatchFunction($BATCHSEQUENCE$,'Y') from dual;\\\" connection=\\\"ERPM\\\"\" maxsearches=1", null())
| table search]
You will now just get no results instead of an error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was trying the above solution, but getting the error Unknown search command '0'.
My query is:
[| makeresults count=1
|eval search=if(
[search index="ass_main" host=pr CASE(4333)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| sort 0 - EMPID
| head 1
| stats count
| return $count]>0,"index="ass_main" host=pr CASE(433)
| rex field=_raw "(?<EMPID>EMP[0-9]{12})"
| fields EMPID
| dedup EMPID
| stats values(EMPID) as EMPID
| eval EMPID= "'".mvjoin(INCID, "','")."'"
| map search="| dbxquery query=\"select \\"Emp Number\\",\\"Description\\"
FROM
BIA_BA_EUL.\\"View Emp Helpdesk\\" WHERE \\"Emp Number\\" IN ($EMPID$) \"
connection=\"NTZ-SVC-PR1\"",null())
| table search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @manunairadavakkat What version of Splunk are you running? Can you repost that query in the code sample box so it doesn't escape some of the special characters? You can do that by hitting Ctrl + K on your key board or clicking the button that has 101010 in the comment GUI.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
