All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using output from a query as the query for another query

ChrisCLewis
Communicator
‎09-05-2019 02:30 AM

I am using the Custom Radar add on visualization. It requires using |makeresults to generate the data needed to create the graph.
I have worked out how to run a query that produces the |makeresults needed but I can't work out how to use that output as the query for a search.

Is this something people have looked at (not just for the add on).

Many thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisCLewis
Communicator
‎09-05-2019 08:07 AM

I have found the solution:

You assign the output with a token using the following:

set token="field_token">$result.base$

Then in another panel you use the following query
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ChrisCLewis
Communicator
‎09-05-2019 08:07 AM

I have found the solution:

You assign the output with a token using the following:

set token="field_token">$result.base$

Then in another panel you use the following query
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎09-05-2019 02:45 AM

can you post the SPL you have so far?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎09-05-2019 03:12 AM

Many thanks for the speedy reply, the SPL is:

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

This is the output from the SPL which is a search that the add on would accept
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]

0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎09-05-2019 02:57 AM

Many thanks for a speedy reply
This is the code
index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

If there were three time periods it produces this output which is needed for the visualization - now need to turn the output into it's own query...
base
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...