Creating a token in first search and passing it on to append search

Software-Simian — Thu, 21 Oct 2021 12:08:37 GMT

Hello,

i am trying to create a dependency map without the external creation of tokens that are being fed to the append searches.

Here is the motive:

I have a list of Sources and Targets, where as the Source of one Relation is the Target of many others and so on. This is recursive, but i would stop at 4 iterations for now 😉 )
The resulting table must only have the pairs of Source and Target Services as basis for the visualization.

The first search looks something like this:
index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$
| table Source_Service Target_Service

The initial token is being fed via drilldown from the dashboard. So far no issue at all. So the first search creates the list of Source_Services connected to the Target_Service (token).

Now i have actually two issues...sorry...
First is that i cannot create the table of the pairs and create a token at the same time.

The creation of the token would look something like this:
index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$
| stats values(Source_Service) as results | eval list_of_Source_Services_search_one = mvjoin(results, ",")

So the first issue is how to team them up in one search if possible

The second issue starts once i have the token. The second search would look something like that:
| append [ | search
index=poc_analyze_something_rather Target_Service IN($list_of_Source_Services_Search_one$)
| table Source_Service Target_Service
]

However the first search does not seem to pass the token along into the append search.
It is no issue at all if i make a search in the dashboard (no visualization) like this to create the token:

<search>
<query>
index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$
| stats values(Source_Service) as results | eval source_list= mvjoin(results, ",")
</query>
<earliest>-15m</earliest>
<latest>now</latest>
<done>
<set token="list_of_Source_Services_Search_one">$result.source_list$</set>
</done>
</search>

The append search has no issues at all with this token. However there must be a way to create the list the Source and Targets without resulting to a dashboard with xml coded searches.

Any idea?

Thanks Mike

Re: Creating a token in first search and passing it on to append search

richgalloway — Thu, 21 Oct 2021 13:25:46 GMT

There is no passing of tokens/fields into subsearches in SPL. The only exception is with the map command.

Sometimes, one can work around this by refactoring the search so the token is created in a subsearch and passed OUT to the main search. That probably won't work in this case so a dashboard is the way to go.

Re: Creating a token in first search and passing it on to append search

Software-Simian — Thu, 21 Oct 2021 13:36:00 GMT

Hi,

thanks for the response.

Yes concatinating the search string entirely out of tokens is possible and i already use it for standard charts that only differ in a metric or so...make the code much slimmer. However this would mean that the Visualization search is triggered each time that a sub token is filled or it displays depending on the ofset errors or no results found...However this procedure makes the Visualization rather...flickery as the one append relies of a token from the previous append or main search. So if i have 3 sub searches the charts loads about 3 times just for one search.

topic Re: Creating a token in first search and passing it on to append search in Splunk Search

Creating a token in first search and passing it on to append search

Re: Creating a token in first search and passing it on to append search

Re: Creating a token in first search and passing it on to append search