Home > OS >  Splunk join with an in-memory record
Splunk join with an in-memory record

Time:02-04

Sorry for the lame question, I am new to Splunk.

What I am trying to do is to join my search result with a declared in the search body fake record, something like

index=... 
| joint type=outer <column> 
[ | <here declare a record to join with> 
......

The idea is to make sure there is at least one record in the resulting search. There are the following cases expected:

  1. the original search returns records
  2. the original search does not return anything because the result is filtered
  3. the original search does not return anything because the source is empty

I need to distinguish cases 2 and 3, which the join is for. The fake record will eliminate the case 3 so I will only need to filter the result.

CodePudding user response:

There's a better way to handle the case of no results returned. Use the appendpipe command to test for that condition and add fields needed in later commands.

| appendpipe [ stats count | eval column="The source is empty" 
  | where count=0 | fields - count ]

Page link:https//www.codepudding.com/os/288399.html

Prev:Right Join Not Including Null Rows
Next:native JavaScript - remove html tag but leave contents in same place
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding