All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- using output from a query as the query for anothe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChrisCLewis
Communicator
09-05-2019
02:30 AM
I am using the Custom Radar add on visualization. It requires using |makeresults to generate the data needed to create the graph.
I have worked out how to run a query that produces the |makeresults needed but I can't work out how to use that output as the query for a search.
Is this something people have looked at (not just for the add on).
Many thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChrisCLewis
Communicator
09-05-2019
08:07 AM
I have found the solution:
You assign the output with a token using the following:
set token="field_token">$result.base$
Then in another panel you use the following query
|loadjob $field_token$
result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChrisCLewis
Communicator
09-05-2019
08:07 AM
I have found the solution:
You assign the output with a token using the following:
set token="field_token">$result.base$
Then in another panel you use the following query
|loadjob $field_token$
result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diogofgm
SplunkTrust
09-05-2019
02:45 AM
can you post the SPL you have so far?
------------
Hope I was able to help you. If so, some karma would be appreciated.
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChrisCLewis
Communicator
09-05-2019
03:12 AM
Many thanks for the speedy reply, the SPL is:
index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)
This is the output from the SPL which is a search that the add on would accept
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChrisCLewis
Communicator
09-05-2019
02:57 AM
Many thanks for a speedy reply
This is the code
index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)
If there were three time periods it produces this output which is needed for the visualization - now need to turn the output into it's own query...
base
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]
Get Updates on the Splunk Community!
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
