Re: How to Pass Tokens When Using Lookups

_gkollias · ‎09-04-2014

Hi All,

I have a search that is bumped against a lookup to display pretty customer names (field=corporation_name) rather than the ugly code names that are logged.

I would like to pass corporation_name via a bar graph that shows our top 10 customers, but the drill-down is expecting the ugly code name(field=ctg_identifier), thus I am unable to populate results.

One thing to note here is that the current lookup does not have a total list of corporation names. The bar graph displays half ugly code names, half pretty corporation_name. Drilling down by ugly code name is easy because its already being logged, but how do I populate the corporation_name field on the other side?

I believe I need to add some specification to the drill-down page saying, "This pretty corporation_name token is actually the ugly code name in disguise!", but I am yet to be successful in what I have added. I tried using eval if's and replace.

Here is what I have on the drill-down page that works for the ugly code names (again, ugly code name is being logged as ctg_identifier):

index=contract_gateway_summary source=contract_process_summary ctg_identifier="$ctg_identifier$"
| stats count as txn_count, sum(total) as sum_total by bp_bp_name, svc_context_name, exit_status
| search NOT exit_status=SUCCESS

| eval sum_total=round(sum_total,2)
| eval sum_total=tostring(sum_total, "commas")
| eval sum_total=if(sum_total < 0, "-$$".trim(sum_total,"-"),"$$".sum_total)
| ctg_common_header_rename
| convert ctime(_time) as timestamp

Is there something I can add here that will help to pass ctg_identifier as corporation_name and populate the results?

Any insight will be greatly appreciated.

Thanks in advance!

_gkollias · ‎09-17-2014

Hi aweitzman,

I've finally gotten the above to work, but am having some trouble.

Here is the search which displays both corporation_name and ctg_identifier like so - corporation_name[ctg_identifier]. When drilling down, here is the search that helps to display corporation_name in the detail page (this compares txn volume today compared to same day last week):

index=contract_gateway_summary source=contract_process_summary earliest=@d exit_status=FAIL*
| stats count as txn_count by _time
| eval corporation_name="$corporation_name$"
| rex field=corporation_name "[(?[^]]+)]"
| eval marker="Today"
| append
[ search index=contract_gateway_summary source=contract_process_summary earliest= -7d@d latest=-6d@d exit_status=FAIL*
| stats count as txn_count by _time
| eval corporation_name="$corporation_name$"
| rex field=corporation_name "[(?[^]]+)]"
| eval marker="Last Week"
| eval _time=_time+604800]
| timechart span=30m max(txn_count) as txn_count by marker

The problem with this is that the txn counts are VERY high. I think its because I'm looking in to the entire index, for example Today, and then attempting to search by corporation_name. Is there something I can add to the search to only search for that customer's failure counts?

aweitzman · ‎09-05-2014

You could do that, but I think it's an over-complication.

What is the actual text of the search param for one of the searches done on the contract_customer_detail dashboard? How does it incorporate the incoming $click.value$ into its own search?

I think your end result here is going to be modifying the searches on the contract_customer_detail dashboard to include the OR phrase I mentioned above.

_gkollias · ‎09-04-2014

like "[(?[^]]+)]"

_gkollias · ‎09-04-2014

So there is a way I might be able to do this....what if I build the corp name with the ctg_identifier- e.g. concat it at the end with [TPCode] so the corp name displays as "Acme Corp [FOOBAR850]"...Then when you do pass it I could pull the TPCode out from between the []..I may need to play around with this a bit...any insight would be greatly appreciated!

_gkollias · ‎09-04-2014

The customer detail page just uses the token ctg_idenfifier=$ctg_identifier$, similar to the search shown above. For corporation_name I have yet to figure out a way to capture incoming values

aweitzman · ‎09-04-2014

Oh, you're drilling down into another dashboard, so I'm not certain, because it depends on how the dashboard incorporates the incoming values. That said, the way you wrote it would require that both fields equal the same value, which is probably highly unlikely in this case. Something like this might work better, but it might not get you all the way there:

/app/contract_gateway/contract_customer_detail?(ctg_identifier=$click.value$%20OR%20corporation_name=$click.value$)

How does your contract_customer_detail dashboard incorporate incoming values on the query string?

_gkollias · ‎09-04-2014

Here is the search for the overview page to help give a broader look:

index=contract_gateway_summary source=contract_process_summary exit_status=FAIL*
| stats count as failure_count, sum(total) as failure_dollars by ctg_identifier
| fillnull value="0" failure_count, total_dollars, failure_dollars
| where failure_count>0
| lookup ctg_identifier_corporation_name_lookup.csv ctg_identifier OUTPUT corporation_name
| eval corporation_name=if(corporation_name == corporation_name, corporation_name, ctg_identifier)
| sort - failure_count
| head $limit$
| table corporation_name, failure_count

_gkollias · ‎09-04-2014

not quite working...it could be the drilldown link...does this seem right?

/app/contract_gateway/contract_customer_detail?ctg_identifier=$click.value$&corporation_name=$click.value$

_gkollias · ‎09-17-2014

decided to type in the answer box since I had a big reply

aweitzman · ‎09-04-2014

You mean, can you name your props.conf stanza [source::contract_process_summary]? That should work just fine.

(Edit: corrected stanza syntax)

_gkollias · ‎09-04-2014

OK, great. What if I am using a summary search? Will adding [source] in the props still be efficient?

aweitzman · ‎09-04-2014

OK, so in your local transforms.conf file you'd have something like:

[corporationLookup] filename = corporationLookup.csv max_matches = 1

And then in your local props.conf file, you'd refer to it this way:

[mysourcetype] LOOKUP-corporation = corporationLookup ctg_identifier OUTPUTNEW corporation_name

You get the idea. Good luck.

_gkollias · ‎09-04-2014

Yes, the problem is that corporation_name is not being logged. The lookup helps to display the ctg_identifier in corporation_name-form. I will check out this doc and let you know how it goes. Thanks!

aweitzman · ‎09-04-2014

Well, the obvious way is to pass it in both:

index=contract_gateway_summary source=contract_process_summary (ctg_identifier="$ctg_identifier$" OR corporation_name="$ctg_identifier$")

Or is your problem that the corporation_name field doesn't exist in the raw data and can't be found this way? If so, you should create a lookup that creates the field automatically. This should explain further:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources

How to Pass Tokens When Using Lookups

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!