All Apps and Add-ons

[Sideview Utils] How to perform a search that use results from other searches

guilhem
Contributor

Hello!

I'm kinda new into splunk, and have to create a pretty advanced dashboard, so excuse me if my questions seems silly, but I've been playing around with sideview utils and cannot find a "good" way to achieve what I want.

Here is the problem I face: I'm having a top level pulldown module, which contains a list of values (say "Last", "Last and previous", "Last 10" and "Custom"), depending on the chosen value, the view will display different charts, using different searches, so I'm using a switcher module to do this.

Each of the searches I want to run takes as a parameter the value of the pulldown and use it inside the searches:

eg: * | top $pulldownValue$ | sort - version

Up to this point everything runs just fine. So here the question:

How can I pass the "version" values down to other searches using an OR separator (like what is done in the pulldown module).

eg: I want to run the searche: * version=("first result of upstream search" OR " second result of upstream seache" ...) | "do some stuff"

I'm trying to use the ResultsValueSetter, but it only seems to return values of the first row? I'd like to have the exact same option like in the pulldown module (name, template ...). Is it possible?

Many thanks!

1 Solution

sideview
SplunkTrust
SplunkTrust

If I understand you correctly, you got close.

Let me try and restate your problem though first.

You have a Pulldown that returns a key called pulldownValue. That key then drives a Switcher which forks config downstream from itself into several structurally different searches. Some or all of those searches then use the $pulldownValue$ itself.

You want one or more of these searches to also use as searchterms, a big OR expression, where the values searched in that OR expression are all the values returned for a particular field, from the main upstream search.

You've seen that the Pulldown module, when used in it's multiple-selection mode, outputs a key like ( foo="value1" OR foo="value2" OR foo="value17" ) and you want to do the same thing, but more like how ResultsValueSetter does it.

If I didn't restate it well, then the rest of this answer may be confusing.

ResultsValueSetter indeed only will get field values from the first row. However you can also use PostProcess to marshal all your data into a single row and also into whatever syntax you need.

If the values might ever have quote characters in them, you'll have to tread a little more carefully. But here's the idea. You insert this just below the dispatch waterline of the upper search.

<module name="PostProcess">
  <param name="search">stats values(version) as version | eval version="( version=\"" + mvjoin(version,"\" OR version=\"") + "\" )"</param>
  <module name="ResultsValueSetter">
    <param name="field">complexORClause</param>

Then downstream from the ResultsValueSetter, you can use a key $complexORClause$, and it's value will be basically a big OR clause of all the version="foo" values that were present in that upper search.

It can't hurt to post the relevant XML you're talking about here. Or you can email it to me at nick [at] sideviewapps.com Plus if there are other note-worthy wrinkles in there or opportunities for improvement, I can point those out for you too.

View solution in original post

sideview
SplunkTrust
SplunkTrust

If I understand you correctly, you got close.

Let me try and restate your problem though first.

You have a Pulldown that returns a key called pulldownValue. That key then drives a Switcher which forks config downstream from itself into several structurally different searches. Some or all of those searches then use the $pulldownValue$ itself.

You want one or more of these searches to also use as searchterms, a big OR expression, where the values searched in that OR expression are all the values returned for a particular field, from the main upstream search.

You've seen that the Pulldown module, when used in it's multiple-selection mode, outputs a key like ( foo="value1" OR foo="value2" OR foo="value17" ) and you want to do the same thing, but more like how ResultsValueSetter does it.

If I didn't restate it well, then the rest of this answer may be confusing.

ResultsValueSetter indeed only will get field values from the first row. However you can also use PostProcess to marshal all your data into a single row and also into whatever syntax you need.

If the values might ever have quote characters in them, you'll have to tread a little more carefully. But here's the idea. You insert this just below the dispatch waterline of the upper search.

<module name="PostProcess">
  <param name="search">stats values(version) as version | eval version="( version=\"" + mvjoin(version,"\" OR version=\"") + "\" )"</param>
  <module name="ResultsValueSetter">
    <param name="field">complexORClause</param>

Then downstream from the ResultsValueSetter, you can use a key $complexORClause$, and it's value will be basically a big OR clause of all the version="foo" values that were present in that upper search.

It can't hurt to post the relevant XML you're talking about here. Or you can email it to me at nick [at] sideviewapps.com Plus if there are other note-worthy wrinkles in there or opportunities for improvement, I can point those out for you too.

guilhem
Contributor

Thanks you very much for the quick answer. I was trying to modify my search to include something like what you have done in the post process (merging all the versions values into one field, so the ResultsValueSetter can pass it to downstream modules), but I didn't want to modify my search, as it may be used elsewhere by other modules that needs the results as several fields.

This is a good example of how to use postProcess (didn't tried it yet, but it looks like the solution to several problems that I have).

I have tested it and it work great!

Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...