Dashboards & Visualizations

I want to pass multivalue from one serach result to another search result

0waste_splunk
Communicator

Hi,

I am trying to create a report using couple of searchTemplates. I want to pass one serachTempleates result to 2nd serachTemplate. 1st search might result in single value or multivalue. now using this/these value from 1st Search, I want pass these value to 2nd search which will bring more detail about that value. 2nd search is searching another index.

Like 1st result gives you following result
Number count
123 2
4353 1
039425 6

Now i want to pass this 123, 4353 and 039425 to 2nd search which will get more detail about 123, 4353 and 039425.

I don't know before hand that how many line will be displayed after 1st result's execution.

Tags (2)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The normal way to do this in Splunk would be to use a subsearch.

<your search terms> [search <some_terms_to_get_the_123_4353_results> | fields Number]

the square brackets effectively would become Number=123 OR Number=4353 OR Number=039425

But to display both results in the same Simple XML dashboard you would have to basically get the same events off twice. You'd run one search to get the first search results, and then a second search that re-runs the first search as a subsearch.

With Sideview Utils you have more flexibility, although it would require moving to the Advanced XML ( watch this 10min screencast if you're dubious. ) . In a PostProcess module hanging off of your first search result, you can use Splunk's format search command manually to create the string Number=123 OR Number=4353 OR Number=039425 as a field value, then use the Sideview ResultsValueSetter module to pull down that string and make it available as a simple $foo$ token, usable by other modules. Then you can plug that $foo$ token into a downstream search, and you can then display both sets of results without actually getting any events off disk twice.

And an advanced direction to consider, is to use the Sideview Multiplexer module. With Multiplexer, even though you don't know how many rows your first search will have, you can have the Multiplexer basically display a paginated Table for each of those Number values, or a Chart, or some HTML and a Chart... etc...

for more info and tons of docs and working examples, download Sideview Utils and read through the embedded docs and examples pages. http://sideviewapps.com/apps/sideview-utils

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

The normal way to do this in Splunk would be to use a subsearch.

<your search terms> [search <some_terms_to_get_the_123_4353_results> | fields Number]

the square brackets effectively would become Number=123 OR Number=4353 OR Number=039425

But to display both results in the same Simple XML dashboard you would have to basically get the same events off twice. You'd run one search to get the first search results, and then a second search that re-runs the first search as a subsearch.

With Sideview Utils you have more flexibility, although it would require moving to the Advanced XML ( watch this 10min screencast if you're dubious. ) . In a PostProcess module hanging off of your first search result, you can use Splunk's format search command manually to create the string Number=123 OR Number=4353 OR Number=039425 as a field value, then use the Sideview ResultsValueSetter module to pull down that string and make it available as a simple $foo$ token, usable by other modules. Then you can plug that $foo$ token into a downstream search, and you can then display both sets of results without actually getting any events off disk twice.

And an advanced direction to consider, is to use the Sideview Multiplexer module. With Multiplexer, even though you don't know how many rows your first search will have, you can have the Multiplexer basically display a paginated Table for each of those Number values, or a Chart, or some HTML and a Chart... etc...

for more info and tons of docs and working examples, download Sideview Utils and read through the embedded docs and examples pages. http://sideviewapps.com/apps/sideview-utils

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...