Hi all,
I have a Splunk index with records of the following format:
(I temporarily use the recordIndex because both other fields consist of wildcards and it allows me to edit/delete them more easily. Later on, this index will be transfered to relational DB).
When I want to add a record to this index, I look for the largest recordIndex exists, add 1 to it, and use it for the new record. I use the following (simplified) search code:
index=myindex | sort -num(recordIndex) | head 1 | eval recordIndex=recordIndex+1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex
However, there is a corner case where the index is empty. For this case only, I could use the following search:
index=_internal | head 1 | eval recordIndex=1 | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | collect index=index=myindex
My question is how to "combine" these 2 searches so they could work together in all cases.
Thanks,
Ori.
I solved this by using the append function:
index=myindex | table recordIndex | sort -num(recordIndex) | head 1 | append [search index=_internal | head 1] | eval recordIndex=if(recordIndex>0,recordIndex+1,1) | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | sort -recordIndex | head 1 | collect index=myindex
I solved this by using the append function:
index=myindex | table recordIndex | sort -num(recordIndex) | head 1 | append [search index=_internal | head 1] | eval recordIndex=if(recordIndex>0,recordIndex+1,1) | eval recordName="$args.recordName$" | eval recordComment="$args.comment$" | table recordIndex recordName recordComment | sort -recordIndex | head 1 | collect index=myindex