Splunk Search

return command - exit (or return known value) if no results found

thewer
Explorer

I have a search that is basically (there are actually 2 sub searches, but this makes it easier to understand):

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | return 50 $custsession ]

This normally returns the weblogs that contain any of the customer sessions where the customers complained (ie: find what the complaining customer actually did on the site). However when there are no results in "custcomplaintlogs" over the last day it returns EVERYTHING from "weblogs". If there is something in "custcomplaintlogs" it will give the weblogs for the customers session only.

How can I stop it returning everything if the subsearch has no results. I want to either exit, or return something that will match nothing in the weblogs.

Tags (2)
1 Solution

cramasta
Builder

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Would probably be better if you did this instead:

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession=if(isnull(custsession,"null",custsession) | fields custsession]| return 50 $custsession ]

or

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | fillnull custsession | fields custsession]| return 50 $custsession ]

0 Karma

cramasta
Builder

Not sure if there is a better way, but what if you did something like this

index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | append [earliest=-1s |stats count | eval custsession="NeverEverGonnaFindMeInSplunk" | fields custsession]| return 50 $custsession ]

This will basically just add another value to custsession which will never be found in splunk. If your subsearch doesn't return any values with the return command it will at least always return NeverEverGonnaFindMeInSplunk which will stop the main search from searching for everything

cramasta
Builder

Yeah forgot an additional end bracket at the end of the fields command. I updated the post.

0 Karma

unchura
Explorer

thanks! it worked by eval new row with 0 value and put it at the and of the resulting table, requesting "head 1". Then if the search is empty then only that last 0 come that I can take within the rest of the code.

i.e

index="myIndex" | where pString = "xyz" | append [ | stats count | fields - count | eval pString = 0  ] | eval recs=if(pString=0,0,1) | sort recs DESC | head 1 | table pString
0 Karma

thewer
Explorer

Not sure if that syntax is quite correct, but the idea works and I cant find anything better - thanks cramasta!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...