Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Please help "search depends" and "search rejects" not working

HenryFitzerald
New Member
‎11-24-2018 12:51 AM

I set the token "All" but whenever I try to place the second ""
in the panel I obtain
Warning on line 76: Expected at most 1 children of base-search in chart, instead saw 2
Warning on line 83: Node is not allowed here
I had to comment out chart but it changes the whole panel & cannot drill down so I am unable to add
a second query.
<!--chart-->
<!--option name="charting.chart">column
<!--option name="charting.drilldown">none
Code is in next comment

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎11-27-2018 09:38 AM

Please check my answer on your repost :

https://answers.splunk.com/answers/701762/repost-please-can-anyone-help-help-search-depends.html?chi...

Cheers,
David

0 Karma
Reply

deking_splunk
Splunk Employee
Splunk Employee
‎11-27-2018 09:11 AM

Hi

It looks like to me you are missing a closing query tag in your XML. Hence the next search tag is interpreted as a child of query

 <query>
   index=_internal  sourcetype=BookWork

MISSING QUERY TAG CLOSE HERE

0 Karma
Reply

woodcock
Esteemed Legend
‎11-24-2018 10:34 AM

I don't get it at all. Please post your ENTIRE xml.

0 Karma
Reply

HenryFitzerald
New Member
‎11-25-2018 02:06 AM

Hi WoodCock thanks for contact I have reposted with the code as

REPOST PLEASE CAN ANYONE HELP SEARCH DEPENDS REJECTS
https://answers.splunk.com/answers/701762/repost-please-can-anyone-help-help-search-depends.html

0 Karma
Reply

HenryFitzerald
New Member
‎11-25-2018 12:59 AM

CODE

EVENTS-ALL
Shows events ALL.

<input type="time" token="master_time_span">
  <label>Chart time span</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" token="service_family_tok" searchWhenChanged="true">
  <label>Choose Service Family:</label>
  <choice value="ALL">ALL</choice>
  <choice value="GMM">GMM</choice>
  <choice value="HWBT">HWBT</choice>
  <choice value="EDH">EDH</choice>
  <choice value="PWS">PWS</choice>
  <default>ALL</default>
  <initialValue>ALL</initialValue>
  <change>
    <condition value="ALL">
      <set token="feature_values">*</set>
      <!--set token="feature_values">ALL</set-->
      <set token="All">true</set>
      <set token="feature_values">*</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="EDH">
      <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="GMM">
      <set token="feature_values">CCA,CIA,REG</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="HWBT">
      <set token="feature_values">PLA</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
    <condition value="PWS">
      <set token="feature_values">ALL</set>
      <unset token="form.enter_feature_tok"></unset>
    </condition>
  </change>
</input>
<input type="dropdown" token="enter_feature_tok">
  <label>Choose Feature:</label>
  <fieldForLabel>feature</fieldForLabel>
  <fieldForValue>feature</fieldForValue>
  <search>
    <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
    <earliest>-1s@s</earliest>
    <latest>now</latest>
  </search>
  <change>
    <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
    <eval token="l_enter_feature_tok">lower($value$)</eval>
  </change>
</input>


<panel>
  <title>BookWorks</title>
  <chart depends="$All$">
    <title>BookWorks ALL and individual choices events</title>
    <search>
      <query> index=_internal  sourcetype=BookWork </query>
      <earliest>$master_time_span.earliest$</earliest>
      <latest>$master_time_span.latest$</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.drilldown">none</option>
  </chart>
   <chart rejects="$All$">
     <title>BookWorks</title>
     <search>
       <query>
        index=_internal  sourcetype=BookWork 
        | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
        | search fd_feature=$enter_feature_tok$ 
       </query>
     </search>
     <option name="charting.chart">column</option>
    <option name="charting.drilldown">none</option> 
   </chart>
</panel>
0 Karma
Reply

HenryFitzerald
New Member
‎11-25-2018 12:54 AM

Hi WoodCock,Thanks for reply apologies tried to delete previous post & repost without success.
I have placed XML text at the very end in a new comment.

ISSUE
I have two-drop down boxes with a 1-Many relationship with tokens "service_family" and "feature" as below. A user chooses a "service_family" & "feature" token used to execute a query as below and results is dependant on the chosen service_family and feature in the query doing a "lookup" and "search".
query =>
index=internal sourcetype=FilmWork
| lookup fd$l_service_family_tok$_$l_enter_feature_tok$_microservice_map

| search feature=$enter_feature_tok$

Example user chooses EDH & STMT service_family_tok =EDH and enter_feature_tok=STMT
l_enter_feature_tok is just lowercase="stmt" in query.

But I need to implement a new user choice called ALL so I made service_family="ALL" & feature * which produces everything in query theres no need to implement lookup and search of query as it's not required.

So when ALL is chosen the query that executes is:-
=> index=_internal sourcetype=FilmWork

Theres no lookup & search.
So issue is how to get a condition to execute query => index=_internal sourcetype=FilmWork when the user chooses ALL, *.

Existing choices as below-
service_family feature

EDH STMT
EDH MANACSS
EDH INBOX
EDH STMT
EDH ACTS
GMM CCA
GMM CIA
GMM RESAVER
HWBT PLA
PWS ALL

New Option=>
ALL *

0 Karma
Reply

HenryFitzerald
New Member
‎11-24-2018 12:52 AM

Chart time span

 <earliest>-24h@h</earliest>
 <latest>now</latest>

Choose Service Family:
ALL
GNM
HWB
ED
PS
ALL
ALL

 <condition value="ALL">
   <set token="feature_values">ALL</set>
     <set token="All"></set>
     <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="EDH">
   <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="GMN">
   <set token="feature_values">CCA,CIA,REG</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="HWB">
   <set token="feature_values">PLA</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>
 <condition value="PS">
   <set token="feature_values">ALL</set>
   <unset token="form.enter_feature_tok"></unset>
 </condition>

Choose Feature:
feature
feature

 <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
 <earliest>-1s@s</earliest>
 <latest>now</latest>


 <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
 <eval token="l_enter_feature_tok">lower($value$)</eval>











 <title>BookWorks events</title>
 <search rejects="$All$">
   <query>
    index=_internal  sourcetype=BookWork 
   | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
    <search depends="$All$">
    <query>
      index=_internal  sourcetype=BookWork 
    </search>
 <option name="charting.chart">column</option>
 <option name="charting.drilldown">none</option>





 <title>BookWorks events</title>
 <search>
   <query> index=_internal  sourcetype=FilmWork 
   | lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
   | search fd_feature=$enter_feature_tok$ | 
  </query>
   <earliest>$master_time_span.earliest$</earliest>
   <latest>$master_time_span.latest$</latest>
 </search>
 <option name="list.drilldown">none</option>
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...