Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

require

Description

Causes a search to fail if the queries and commands that precede it in the search string return zero events or results.

Syntax

The required syntax is in bold.

| require

Usage

When require is used in a search string, it causes the search to fail if the queries and commands that precede it in the search string return zero events or results. When you use it in a subsearch, it causes the parent search to fail when the subsearch fails to return results.

Use this command to prevent the Splunk platform from running zero-result searches when this might have negative side effects, such as generating false positives, running custom search commands that make costly API calls, or creating empty search filters via a subsearch.

The require command cannot be used in real-time searches.

Examples

1. Stop running a search if it returns zero results or events

... | require

2. Raise an exception if the subsearch returns zero events or results, and stop the parent search.

... [ search index=other_index NOSUCHVALUE | require ]

Last modified on 26 July, 2020
PREVIOUS
replace
  NEXT
rest

This documentation applies to the following versions of Splunk® Enterprise: 8.0.5, 8.0.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters