Can there be nested multireport commands?

teresachila · ‎04-24-2018

I am using the multireport command to help manage some external lookup and caching. When I use one multireport command, it works fine:

| makeresults | eval tmp="abc123.test|edf1234.test|abcdefg1234567890.test"  | eval tmp2=split(tmp,"|") | mvexpand tmp2 | fields - tmp | rename tmp2 as mydomain
| eval len=len(mydomain)
| multireport
   [|where len<20 | eval isLess20="True"]
   [|where len>=20 | eval whatever="whatever"]

When I try to use another multireport within one of the subqueries in the first multireport, I get "No results found".

| makeresults | eval tmp="abc123.test|edf1234.test|abcdefg1234567890.test"  | eval tmp2=split(tmp,"|") | mvexpand tmp2 | fields - tmp | rename tmp2 as mydomain
| eval len=len(mydomain)
| multireport
   [|where len<20 | eval isLess20="True"]
   [|where len>=20 | eval whatever="whatever"
     | multireport
        [| table len mydomain whatever ]
        [| table _time len]
    ]

The example above has been simplified to illustrate the issue. But my real-world situation is this: before the 1st multireport command, I check against a lookup cache. If the cache has a match, show that set of results (this is the 1st subquery of the 1st multireport). If the cache has no match (2nd subquery of the 1st multireport), then perform a custom command to retrieve the data, then save to the cache and display the results. However, the list of fields to save to the cache is different than that to display, so I want to use another multireport to fork two branches -- one for saving a list of fields to the cache, and another to display a slightly different set of fields to the user.

Can there be nested multireport commands?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!