All Apps and Add-ons
Highlighted

using output from a query as the query for another query

Communicator

I am using the Custom Radar add on visualization. It requires using |makeresults to generate the data needed to create the graph.
I have worked out how to run a query that produces the |makeresults needed but I can't work out how to use that output as the query for a search.

Is this something people have looked at (not just for the add on).

Many thanks

0 Karma
Highlighted

Re: using output from a query as the query for another query

Motivator

can you post the SPL you have so far?

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: using output from a query as the query for another query

Communicator

Many thanks for a speedy reply
This is the code
index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

If there were three time periods it produces this output which is needed for the visualization - now need to turn the output into it's own query...
base
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]

0 Karma
Highlighted

Re: using output from a query as the query for another query

Communicator

Many thanks for the speedy reply, the SPL is:

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

This is the output from the SPL which is a search that the add on would accept
| append[| makeresults |eval key="201705" ,variable1=0 ,variable2=1 ,variable3=2 ,variable4=5 | untable key,"axis","value" | eval keyColor="magenta"] | append[| makeresults |eval key="201805" ,variable1=3 ,variable2=5 ,variable3=1 ,variable4=3 | untable key,"axis","value" | eval keyColor="blue"] | append[| makeresults |eval key="201905" ,variable1=2 ,variable2=2 ,variable3=1 ,variable4=1 | untable key,"axis","value" | eval keyColor="green"]

0 Karma
Highlighted

Re: using output from a query as the query for another query

Communicator

I have found the solution:

You assign the output with a token using the following:

set token="field_token">$result.base$

Then in another panel you use the following query
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

View solution in original post

0 Karma