Please Help a"search depends" and "search rejects"...

HenryFitzerald · ‎11-25-2018

ISSUE
Hi All I have two-drop down boxes with a 1 –many relationship with tokens “service family” and “feature” as below.
A user chooses a “service_family” & “feature” token used to execute a query as below & result is dependent on the chosen service_family & feature in query with a “lookup” & “Search” etc
index=internal sourcetype=BookWork
| lookup lookup fd$l_service_family_tok$_$l_enter_feature_tok$_map

| search fd_feature=$enter_feature_tok$

Example a user chooses EDH and STMT, service_family=EDH and enter_feature_tok=STMT
l_service_family_tok is just lowercase=”stmt” for query.
But I need to implement a new user choice called ALL so I made a service_family=ALL and feature “*” which produces everything in query theres no need to implement the lookup and search in query as it’s not required.

So when ALL is chosen the query executes
index=_internal sourcetype=BookWork
So issue is how to get a condition to execute part of query => (index=_internal sourcetype=BookWork) when user chooses A
Service_family Feature
EDH STMT
EDH INBOX
EDH STMT
EDH ACCTS
GMM CCA
GMM CIA
GMM RESAVER
HWBT PLA
PWS ALL

New Option =>
ALL *

I thought below would result in a conditional query to execute two queries in same panel and when ALL is chosen execute second query ( index=_internal sourcetype=BookWork)

I thought to set a token called All as true two ll in (All) lowercase as below and *.

      <condition value="ALL">
        <set token="feature_values">*</set>
        <!--set token="feature_values">ALL</set-->
        <set token="All">true</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>

And create 2 search queries for and as below.

<search depends="$All$">
      <title>BookWorks ALL and individual choices events</title>
      <search>
        <query> index=_internal  sourcetype=BookWork </query>
        <earliest>$master_time_span.earliest$</earliest>
        <latest>$master_time_span.latest$</latest>
      </search>
      <option name="charting.chart">column</option>
      <option name="charting.drilldown">none</option>
    </chart>
     <search rejects="$All$">
       <title>BookWorks</title>
       <search>
         <query>
          index=_internal  sourcetype=BookWork 
          | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
          | search fd_feature=$enter_feature_tok$ 
         </query>
  </search>

I do not know how to get it to work and obtained the errors search not allowed etc, I did further reading it says “reject” & “depends” is not an attribute of search trying a chart .

http://docs.splunk.com/Documentation/Splunk/7.2.1/Viz/tokens

CODE

 <form>
 <label>EVENTS-ALL</label>
 <description>Shows  events ALL</description>
 <fieldset submitButton="true" autoRun="false"> 
 <input type="time" token="master_time_span">
    <label>Chart time span</label>
    <default>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </default>
  </input>
  <input type="dropdown" token="service_family_tok" searchWhenChanged="true">
    <label>Choose Service Family:</label>
    <choice value="ALL">ALL</choice>
    <choice value="GMM">GMM</choice>
    <choice value="HWBT">HWBT</choice>
    <choice value="EDH">EDH</choice>
    <choice value="PWS">PWS</choice>
    <default>ALL</default>
    <initialValue>ALL</initialValue>
    <change>
      <condition value="ALL">
        <set token="feature_values">*</set>
        <!--set token="feature_values">ALL</set-->
        <set token="All">true</set>
        <set token="feature_values">*</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="EDH">
        <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="GMM">
        <set token="feature_values">CCA,CIA,REG</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="HWBT">
        <set token="feature_values">PLA</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="PWS">
        <set token="feature_values">ALL</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
    </change>
  </input>
  <input type="dropdown" token="enter_feature_tok">
    <label>Choose Feature:</label>
    <fieldForLabel>feature</fieldForLabel>
    <fieldForValue>feature</fieldForValue>
    <search>
      <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
      <earliest>-1s@s</earliest>
      <latest>now</latest>
    </search>
    <change>
      <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
      <eval token="l_enter_feature_tok">lower($value$)</eval>
    </change>
  </input>
  <panel>
    <title>BookWorks</title>
    <chart depends="$All$">
      <title>BookWorks ALL and individual choices events</title>
      <search>
        <query> index=_internal  sourcetype=BookWork </query>
        <earliest>$master_time_span.earliest$</earliest>
        <latest>$master_time_span.latest$</latest>
      </search>
      <option name="charting.chart">column</option>
      <option name="charting.drilldown">none</option>
    </chart>
     <chart rejects="$All$">
       <title>BookWorks</title>
       <search>
         <query>
          index=_internal  sourcetype=BookWork 
          | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
          | search fd_feature=$enter_feature_tok$ 
         </query>
       </search>
       <option name="charting.chart">column</option>
      <option name="charting.drilldown">none</option> 
     </chart>
  </panel>
 </row>
 </form>

Please Help a"search depends" and "search rejects" not working

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!