Dashboards & Visualizations
Highlighted

How to use inputlookup output as parameter in streaming command?

Explorer

I have only one KVstore row for storing session data, and I need that fields as arguments for streaming commands along the whole app. Example:

I have one row (I only need one) with session data here:

| inputlookup kvstore_lookup | table baseip ,baseport,ipapi,portapi,userapi,passapi |

And I would need to use those fields as arguments in the following streaming command search:

| getmanagerlogs $baseip$ $baseport$ $ipapi$ $portapi$ $userapi$ $passapi$  | table timestamp, tag, level, description |

What I tried to do is the following:
- First of all, in the dashboard,I bring kvstore_lookup data via http with $ajax, and set the token values in the callback like this:

$(document).ready(function(){
             service.request(
                 "storage/collections/data/credentials/",
                 "GET",
                 null,
                 null,
                 null,
                 {"Content-Type": "application/json"},null
             ).done(function(data) { 
                 console.log(data)
                 setToken('baseip',data[0].baseip);
                 setToken('baseport',data[0].baseport);
                 setToken('ipapi',data[0].ipapi);
                 setToken('portapi',data[0].portapi);
                 setToken('userapi',data[0].userapi);
                 setToken('passwordapi',data[0].passwordapi);
            });
         });

But it seems like the search is loaded before that callback is invoked:

var search1 = new SearchManager({
          "id": "search1",
          "search": "| getmanagerlogs $baseip$ $baseport$ $ipapi$ $portapi$ $userapi$ $passwordapi$ | table timestamp, tag, level, description | search  level=$value$",
          "status_buckets": 0,
          "earliest_time": "-24h@h",
          "cancelOnUnload": true,
          "sample_ratio": null,
          "latest_time": "now",
          "app": utils.getCurrentApp(),
          "auto_cancel": 90,
          "preview": true,
          "tokenDependencies": {
          },
          "runWhenTimeIsUndefined": false
        }, { tokens: true, tokenNamespace: "submitted" });

I thought something about crossing or joining both queries, but I wasn't able to make it work also.
Any help will be much appreciated.

0 Karma
Highlighted

Re: How to use inputlookup output as parameter in streaming command?

SplunkTrust
SplunkTrust

First, what happens when you fill in this search with the values and run it?

| getmanagerlogs $baseip$ $baseport$ $ipapi$ $portapi$ $userapi$ $passwordapi$ 
| table timestamp, tag, level, description 
| search  level=$value$

Second, are the values in $baseip$ (for example) supposed to be formatted as 1.1.1.1 OR as baseip=1.1.1.1

0 Karma
Highlighted

Re: How to use inputlookup output as parameter in streaming command?

Explorer

@DalJeanis It works perfectly when I 'hardcode' the values like this:

| getmanagerlogs 10.0.0.90 8000 10.0.0.50 55000 foo bar
| table timestamp, tag, level, description
| search level=$value$

Which are the exactly values that | inputlookup kvstore_lookup | returns.

Thank you for your reply

0 Karma