All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

[Sideview Utils] How to perform a search that use results from other searches

guilhem
Contributor
‎10-01-2012 06:27 AM

Hello!

I'm kinda new into splunk, and have to create a pretty advanced dashboard, so excuse me if my questions seems silly, but I've been playing around with sideview utils and cannot find a "good" way to achieve what I want.

Here is the problem I face: I'm having a top level pulldown module, which contains a list of values (say "Last", "Last and previous", "Last 10" and "Custom"), depending on the chosen value, the view will display different charts, using different searches, so I'm using a switcher module to do this.

Each of the searches I want to run takes as a parameter the value of the pulldown and use it inside the searches:

eg: * | top $pulldownValue$ | sort - version

Up to this point everything runs just fine. So here the question:

How can I pass the "version" values down to other searches using an OR separator (like what is done in the pulldown module).

eg: I want to run the searche: * version=("first result of upstream search" OR " second result of upstream seache" ...) | "do some stuff"

I'm trying to use the ResultsValueSetter, but it only seems to return values of the first row? I'd like to have the exact same option like in the pulldown module (name, template ...). Is it possible?

Many thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-01-2012 09:57 AM

If I understand you correctly, you got close.

Let me try and restate your problem though first.

You have a Pulldown that returns a key called pulldownValue. That key then drives a Switcher which forks config downstream from itself into several structurally different searches. Some or all of those searches then use the $pulldownValue$ itself.

You want one or more of these searches to also use as searchterms, a big OR expression, where the values searched in that OR expression are all the values returned for a particular field, from the main upstream search.

You've seen that the Pulldown module, when used in it's multiple-selection mode, outputs a key like ( foo="value1" OR foo="value2" OR foo="value17" ) and you want to do the same thing, but more like how ResultsValueSetter does it.

If I didn't restate it well, then the rest of this answer may be confusing.

ResultsValueSetter indeed only will get field values from the first row. However you can also use PostProcess to marshal all your data into a single row and also into whatever syntax you need.

If the values might ever have quote characters in them, you'll have to tread a little more carefully. But here's the idea. You insert this just below the dispatch waterline of the upper search. 

<module name="PostProcess">
  <param name="search">stats values(version) as version | eval version="( version=\"" + mvjoin(version,"\" OR version=\"") + "\" )"</param>
  <module name="ResultsValueSetter">
    <param name="field">complexORClause</param>

Then downstream from the ResultsValueSetter, you can use a key $complexORClause$, and it's value will be basically a big OR clause of all the version="foo" values that were present in that upper search.

It can't hurt to post the relevant XML you're talking about here. Or you can email it to me at nick [at] sideviewapps.com Plus if there are other note-worthy wrinkles in there or opportunities for improvement, I can point those out for you too.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-01-2012 09:57 AM

If I understand you correctly, you got close.

Let me try and restate your problem though first.

You have a Pulldown that returns a key called pulldownValue. That key then drives a Switcher which forks config downstream from itself into several structurally different searches. Some or all of those searches then use the $pulldownValue$ itself.

You want one or more of these searches to also use as searchterms, a big OR expression, where the values searched in that OR expression are all the values returned for a particular field, from the main upstream search.

You've seen that the Pulldown module, when used in it's multiple-selection mode, outputs a key like ( foo="value1" OR foo="value2" OR foo="value17" ) and you want to do the same thing, but more like how ResultsValueSetter does it.

If I didn't restate it well, then the rest of this answer may be confusing.

ResultsValueSetter indeed only will get field values from the first row. However you can also use PostProcess to marshal all your data into a single row and also into whatever syntax you need.

If the values might ever have quote characters in them, you'll have to tread a little more carefully. But here's the idea. You insert this just below the dispatch waterline of the upper search. 

<module name="PostProcess">
  <param name="search">stats values(version) as version | eval version="( version=\"" + mvjoin(version,"\" OR version=\"") + "\" )"</param>
  <module name="ResultsValueSetter">
    <param name="field">complexORClause</param>

Then downstream from the ResultsValueSetter, you can use a key $complexORClause$, and it's value will be basically a big OR clause of all the version="foo" values that were present in that upper search.

It can't hurt to post the relevant XML you're talking about here. Or you can email it to me at nick [at] sideviewapps.com Plus if there are other note-worthy wrinkles in there or opportunities for improvement, I can point those out for you too.

Reply
Solved! Jump to solution

guilhem
Contributor
‎10-02-2012 02:06 AM

Thanks you very much for the quick answer. I was trying to modify my search to include something like what you have done in the post process (merging all the versions values into one field, so the ResultsValueSetter can pass it to downstream modules), but I didn't want to modify my search, as it may be used elsewhere by other modules that needs the results as several fields.

This is a good example of how to use postProcess (didn't tried it yet, but it looks like the solution to several problems that I have).

I have tested it and it work great!

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...