All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using output from a query as the query for another query

ChrisCLewis
Communicator
‎09-05-2019 02:30 AM

I am using the Custom Radar add on visualization. It requires using |makeresults to generate the data needed to create the graph.
I have worked out how to run a query that produces the |makeresults needed but I can't work out how to use that output as the query for a search.

Is this something people have looked at (not just for the add on).

Many thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisCLewis
Communicator
‎09-05-2019 08:07 AM

I have found the solution:

You assign the output with a token using the following:

set token="field_token">$result.base$

Then in another panel you use the following query
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ChrisCLewis
Communicator
‎09-05-2019 08:07 AM

I have found the solution:

You assign the output with a token using the following:

set token="field_token">$result.base$

Then in another panel you use the following query
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎09-05-2019 02:45 AM

can you post the SPL you have so far?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎09-05-2019 03:12 AM

Many thanks for the speedy reply, the SPL is:

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

This is the output from the SPL which is a search that the add on would accept
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]

0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎09-05-2019 02:57 AM

Many thanks for a speedy reply
This is the code
index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

If there were three time periods it produces this output which is needed for the visualization - now need to turn the output into it's own query...
base
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...