topic Re: Can I reuse subsearch results for two panels in a form? in Splunk Search

Can I reuse subsearch results for two panels in a form?

steveta_uk — Mon, 24 Sep 2012 16:24:55 GMT

I am trying to develop a view that allows the user to select two time periods, then determine what changes have been made to a particular field between these two periods. For example, to determine what hosts were in use last week and not this week, and vice versa.

The search is easy enough, basically the two result sets are given by these search strings:

Is there a way to reduce this from 4 searches to 2, by somehow saving the subsearch and outer search results, and then comparing them as A NOT B and B NOT A ?

Re: Can I reuse subsearch results for two panels in a form?

bmacias84 — Mon, 24 Sep 2012 17:12:10 GMT

Yes, I would create a base search with some post process searches. Hopfully this get you started.

http://docs.splunk.com/Documentation/Splunk/latest/Developer/PostProcess

Re: Can I reuse subsearch results for two panels in a form?

steveta_uk — Mon, 24 Sep 2012 17:25:33 GMT

Not sure this helps - I have two different base searches, and the same two searches as subsearches but swapped around, and what I'm trying to do is only run them once each but process the results in a different sequence.

Re: Can I reuse subsearch results for two panels in a form?

bmacias84 — Mon, 28 Sep 2020 12:30:00 GMT

I haven't tested this, but your base search might look something like. I might have my comparision operators incorrect. I also hope I understand what your tying to accomplish.



sourcetype="syslog" earliest=-14d latest=-0d | eval preweek = if(_time >= relative_time(now(), "-14d@d"), host, null())|eval preweek = if(_time <= relative_time(now(), "-7d@d"), host, null())|eval curweek = if(_time >= relative_time(now(), "-7d@d"), host, null())|eval curweek = if(_time <= relative_time(now(), "0d@d"), host, null())| dedup curweek, preweek  | field curweek, preweek

Cheers,

Re: Can I reuse subsearch results for two panels in a form?

carasso — Fri, 19 Oct 2012 03:29:14 GMT

you can write the results to a csv file after the first run and then read the results for the second.

Re: Can I reuse subsearch results for two panels in a form?

steveta_uk — Fri, 19 Oct 2012 06:33:24 GMT

Carasso, yes this was the solution I have adopted, but it has problems in a couple of areas. Firstly the pager in the results doesn't know the correct number of hits, so for example shows pages 1-10 where only pages 1-3 have any results in them, this is because the pager seemd to be based on the count of hits in the base search, not on the postprocess. Secondly, the progress bar is all wrong - I think possibly for the same reason.

Re: Can I reuse subsearch results for two panels in a form?

steveta_uk — Fri, 19 Oct 2012 06:33:54 GMT

Re: Can I reuse subsearch results for two panels in a form?

Ayn — Fri, 19 Oct 2012 06:55:03 GMT

The "PostProcess" module in Sideview Utils addresses precisely this issue.

Re: Can I reuse subsearch results for two panels in a form?

steveta_uk — Fri, 19 Oct 2012 07:23:43 GMT

A bit of advise would be useful here - I very often see problems answered by everyone being told to use the sideview utils. As I want to provide reporting that can be used against my product by any Splunk user, I had assumed that I should stick to the built-in Splunk function set, just as when developing UNIX apps I would try to use only the available OS interfaces and not expect end users to have to install other 3rd party packages to get things to work.

What do others do in these circumstances? Do you bundle Sideview utils with your apps? Or tell the end user they must install it first? What if the user has some reason to not want to install sideview? etc...