Please help "search depends" and "search rejects...

HenryFitzerald · ‎11-24-2018

I set the token "All" but whenever I try to place the second ""
in the panel I obtain
Warning on line 76: Expected at most 1 children of base-search in chart, instead saw 2
Warning on line 83: Node is not allowed here
I had to comment out chart but it changes the whole panel & cannot drill down so I am unable to add
a second query.

<!--option name="charting.chart">column
<!--option name="charting.drilldown">none
Code is in next comment

DavidHourani · ‎11-27-2018

Please check my answer on your repost :

https://answers.splunk.com/answers/701762/repost-please-can-anyone-help-help-search-depends.html?chi...

Cheers,
David

deking_splunk · ‎11-27-2018

Hi

It looks like to me you are missing a closing query tag in your XML. Hence the next search tag is interpreted as a child of query

 <query>
   index=_internal  sourcetype=BookWork

MISSING QUERY TAG CLOSE HERE

woodcock · ‎11-24-2018

I don't get it at all. Please post your ENTIRE xml.

HenryFitzerald · ‎11-25-2018

Hi WoodCock thanks for contact I have reposted with the code as

REPOST PLEASE CAN ANYONE HELP SEARCH DEPENDS REJECTS
https://answers.splunk.com/answers/701762/repost-please-can-anyone-help-help-search-depends.html

HenryFitzerald · ‎11-25-2018

CODE

EVENTS-ALL
Shows events ALL.

<input type="time" token="master_time_span">
  <label>Chart time span</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" token="service_family_tok" searchWhenChanged="true">
  <label>Choose Service Family:</label>
  <choice value="ALL">ALL</choice>
  <choice value="GMM">GMM</choice>
  <choice value="HWBT">HWBT</choice>
  <choice value="EDH">EDH</choice>
  <choice value="PWS">PWS</choice>
  <default>ALL</default>
  <initialValue>ALL</initialValue>
  <change>
    <condition value="ALL">
      <set token="feature_values">*</set>
      <!--set token="feature_values">ALL</set-->
      <set token="All">true</set>
      <set token="feature_values">*</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="EDH">
      <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="GMM">
      <set token="feature_values">CCA,CIA,REG</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="HWBT">
      <set token="feature_values">PLA</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="PWS">
      <set token="feature_values">ALL</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
  </change>
</input>
<input type="dropdown" token="enter_feature_tok">
  <label>Choose Feature:</label>
  <fieldForLabel>feature</fieldForLabel>
  <fieldForValue>feature</fieldForValue>
  <search>
    <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
    <earliest>-1s@s</earliest>
    <latest>now</latest>
  </search>
  <change>
    <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
    <eval token="l_enter_feature_tok">lower($value$)</eval>
  </change>
</input>


<panel>
  <title>BookWorks</title>
  <chart depends="$All$">
    <title>BookWorks ALL and individual choices events</title>
    <search>
      <query> index=_internal  sourcetype=BookWork </query>
      <earliest>$master_time_span.earliest$</earliest>
      <latest>$master_time_span.latest$</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.drilldown">none</option>
  </chart>
   <chart rejects="$All$">
     <title>BookWorks</title>
     <search>
       <query>
        index=_internal  sourcetype=BookWork 
        | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
        | search fd_feature=$enter_feature_tok$ 
       </query>
     </search>
     <option name="charting.chart">column</option>
    <option name="charting.drilldown">none</option> 
   </chart>
</panel>

HenryFitzerald · ‎11-25-2018

Hi WoodCock,Thanks for reply apologies tried to delete previous post & repost without success.
I have placed XML text at the very end in a new comment.

ISSUE
I have two-drop down boxes with a 1-Many relationship with tokens "service_family" and "feature" as below. A user chooses a "service_family" & "feature" token used to execute a query as below and results is dependant on the chosen service_family and feature in the query doing a "lookup" and "search".
query =>
index=internal sourcetype=FilmWork
| lookup fd$l_service_family_tok$_$l_enter_feature_tok$_microservice_map

| search feature=$enter_feature_tok$

Example user chooses EDH & STMT service_family_tok =EDH and enter_feature_tok=STMT
l_enter_feature_tok is just lowercase="stmt" in query.

But I need to implement a new user choice called ALL so I made service_family="ALL" & feature * which produces everything in query theres no need to implement lookup and search of query as it's not required.

So when ALL is chosen the query that executes is:-
=> index=_internal sourcetype=FilmWork

Theres no lookup & search.
So issue is how to get a condition to execute query => index=_internal sourcetype=FilmWork when the user chooses ALL, *.

Existing choices as below-
service_family feature

EDH STMT
EDH MANACSS
EDH INBOX
EDH STMT
EDH ACTS
GMM CCA
GMM CIA
GMM RESAVER
HWBT PLA
PWS ALL

New Option=>
ALL *

HenryFitzerald · ‎11-24-2018

Chart time span

 <earliest>-24h@h</earliest>
 <latest>now</latest>

Choose Service Family:
ALL
GNM
HWB
ED
PS
ALL
ALL

 <condition value="ALL">
   <set token="feature_values">ALL</set>
     <set token="All"></set>
     <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="EDH">
   <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="GMN">
   <set token="feature_values">CCA,CIA,REG</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="HWB">
   <set token="feature_values">PLA</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="PS">
   <set token="feature_values">ALL</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>

Choose Feature:
feature
feature

 <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
 <earliest>-1s@s</earliest>
 <latest>now</latest>


 <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
 <eval token="l_enter_feature_tok">lower($value$)</eval>











 <title>BookWorks events</title>
 <search rejects="$All$">
   <query>
    index=_internal  sourcetype=BookWork 
   | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
    <search depends="$All$">
    <query>
      index=_internal  sourcetype=BookWork 
    </search>
 <option name="charting.chart">column</option>
 <option name="charting.drilldown">none</option>





 <title>BookWorks events</title>
 <search>
   <query> index=_internal  sourcetype=FilmWork 
   | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ | 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
 <option name="list.drilldown">none</option>

Please help "search depends" and "search rejects" not working

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor