Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I want to pass multivalue from one serach result to another search result

0waste_splunk
Communicator
‎07-01-2013 09:33 AM

Hi,

I am trying to create a report using couple of searchTemplates. I want to pass one serachTempleates result to 2nd serachTemplate. 1st search might result in single value or multivalue. now using this/these value from 1st Search, I want pass these value to 2nd search which will bring more detail about that value. 2nd search is searching another index.

Like 1st result gives you following result
Number count
123 2
4353 1
039425 6

Now i want to pass this 123, 4353 and 039425 to 2nd search which will get more detail about 123, 4353 and 039425.

I don't know before hand that how many line will be displayed after 1st result's execution.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-01-2013 11:04 PM

The normal way to do this in Splunk would be to use a subsearch.

<your search terms> [search <some_terms_to_get_the_123_4353_results> | fields Number]

the square brackets effectively would become Number=123 OR Number=4353 OR Number=039425

But to display both results in the same Simple XML dashboard you would have to basically get the same events off twice. You'd run one search to get the first search results, and then a second search that re-runs the first search as a subsearch.

With Sideview Utils you have more flexibility, although it would require moving to the Advanced XML ( watch this 10min screencast if you're dubious. ) . In a PostProcess module hanging off of your first search result, you can use Splunk's format search command manually to create the string Number=123 OR Number=4353 OR Number=039425 as a field value, then use the Sideview ResultsValueSetter module to pull down that string and make it available as a simple $foo$ token, usable by other modules. Then you can plug that $foo$ token into a downstream search, and you can then display both sets of results without actually getting any events off disk twice.

And an advanced direction to consider, is to use the Sideview Multiplexer module. With Multiplexer, even though you don't know how many rows your first search will have, you can have the Multiplexer basically display a paginated Table for each of those Number values, or a Chart, or some HTML and a Chart... etc...

for more info and tons of docs and working examples, download Sideview Utils and read through the embedded docs and examples pages. http://sideviewapps.com/apps/sideview-utils

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-01-2013 11:04 PM

The normal way to do this in Splunk would be to use a subsearch.

<your search terms> [search <some_terms_to_get_the_123_4353_results> | fields Number]

the square brackets effectively would become Number=123 OR Number=4353 OR Number=039425

But to display both results in the same Simple XML dashboard you would have to basically get the same events off twice. You'd run one search to get the first search results, and then a second search that re-runs the first search as a subsearch.

With Sideview Utils you have more flexibility, although it would require moving to the Advanced XML ( watch this 10min screencast if you're dubious. ) . In a PostProcess module hanging off of your first search result, you can use Splunk's format search command manually to create the string Number=123 OR Number=4353 OR Number=039425 as a field value, then use the Sideview ResultsValueSetter module to pull down that string and make it available as a simple $foo$ token, usable by other modules. Then you can plug that $foo$ token into a downstream search, and you can then display both sets of results without actually getting any events off disk twice.

And an advanced direction to consider, is to use the Sideview Multiplexer module. With Multiplexer, even though you don't know how many rows your first search will have, you can have the Multiplexer basically display a paginated Table for each of those Number values, or a Chart, or some HTML and a Chart... etc...

for more info and tons of docs and working examples, download Sideview Utils and read through the embedded docs and examples pages. http://sideviewapps.com/apps/sideview-utils

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...