topic Re: using output from a query as the query for another query in All Apps and Add-ons

topic Re: using output from a query as the query for another query in All Apps and Add-ons https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472084#M58025 <P>Many thanks for a speedy reply<BR /> This is the code<BR /> index="foo" Name="bar" NOT delta="epsilon*" Number !=""<BR /> |stats values(Number) as number by Date Description <BR /> |sort Date<BR /> |lookup data Date OUTPUT colour as hue<BR /> |eval niche=",".Description."=".number<BR /> |stats values(hue) as hue values(niche) as niche by Date <BR /> | nomv niche<BR /> |eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"<BR /> |stats values(base) as base<BR /> |mvcombine delim=" " base <BR /> |nomv base<BR /> |stats values(base)</P> <P>If there were three time periods it produces this output which is needed for the visualization - now need to turn the output into it's own query...<BR /> <STRONG>base</STRONG><BR /> | append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]</P> Thu, 05 Sep 2019 09:57:22 GMT ChrisCLewis 2019-09-05T09:57:22Z using output from a query as the query for another query https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472082#M58023 <P>I am using the Custom Radar add on visualization. It requires using |makeresults to generate the data needed to create the graph.<BR /> I have worked out how to run a query that produces the |makeresults needed but I can't work out how to use that output as the query for a search.</P> <P>Is this something people have looked at (not just for the add on).</P> <P>Many thanks </P> Thu, 05 Sep 2019 09:30:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472082#M58023 ChrisCLewis 2019-09-05T09:30:55Z Re: using output from a query as the query for another query https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472083#M58024 <P>can you post the SPL you have so far?</P> Thu, 05 Sep 2019 09:45:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472083#M58024 diogofgm 2019-09-05T09:45:54Z Re: using output from a query as the query for another query https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472084#M58025 <P>Many thanks for a speedy reply<BR /> This is the code<BR /> index="foo" Name="bar" NOT delta="epsilon*" Number !=""<BR /> |stats values(Number) as number by Date Description <BR /> |sort Date<BR /> |lookup data Date OUTPUT colour as hue<BR /> |eval niche=",".Description."=".number<BR /> |stats values(hue) as hue values(niche) as niche by Date <BR /> | nomv niche<BR /> |eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"<BR /> |stats values(base) as base<BR /> |mvcombine delim=" " base <BR /> |nomv base<BR /> |stats values(base)</P> <P>If there were three time periods it produces this output which is needed for the visualization - now need to turn the output into it's own query...<BR /> <STRONG>base</STRONG><BR /> | append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]</P> Thu, 05 Sep 2019 09:57:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472084#M58025 ChrisCLewis 2019-09-05T09:57:22Z Re: using output from a query as the query for another query https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472085#M58026 <P>Many thanks for the speedy reply, the SPL is:</P> <P>index="foo" Name="bar" NOT delta="epsilon*" Number !=""<BR /> |stats values(Number) as number by Date Description <BR /> |sort Date<BR /> |lookup data Date OUTPUT colour as hue<BR /> |eval niche=",".Description."=".number<BR /> |stats values(hue) as hue values(niche) as niche by Date <BR /> | nomv niche<BR /> |eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"<BR /> |stats values(base) as base<BR /> |mvcombine delim=" " base <BR /> |nomv base<BR /> |stats values(base)</P> <P>This is the output from the SPL which is a search that the add on would accept<BR /> | append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]</P> Thu, 05 Sep 2019 10:12:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472085#M58026 ChrisCLewis 2019-09-05T10:12:55Z Re: using output from a query as the query for another query https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472086#M58027 <P>I have found the solution:</P> <P>You assign the output with a token using the following:</P> <P>set token="field_token">$result.base$</P> <P>Then in another panel you use the following query<BR /> |loadjob $field_token$</P> <P>result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (<A href="https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html">https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html</A>).</P> Thu, 05 Sep 2019 15:07:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/using-output-from-a-query-as-the-query-for-another-query/m-p/472086#M58027 ChrisCLewis 2019-09-05T15:07:30Z