Splunk Search

Can subsearches access search tokens?

alastairsin
Engager

I am building a dashboard using simple xml.

I have a populating search that defines inputs for a dropdown list. The selected value is stored in a token that can be accessed by searches in the form. In one of my searches, i am running a subsearch that searches a lookup table based on the token and returns corresponding values back to the main query.

However, the subsearch doesn't seem to be able to use the value stored in the token. Can someone help me with this?

0 Karma
1 Solution

somesoni2
Revered Legend

Could you try with enclosing your search String in <![CDATA[ your query ]]>. Also, use the token within double quotes (GRID_FARM_NAME="$Farm$")

View solution in original post

somesoni2
Revered Legend

Could you try with enclosing your search String in <![CDATA[ your query ]]>. Also, use the token within double quotes (GRID_FARM_NAME="$Farm$")

somesoni2
Revered Legend

Please close the question so that other can see the accepted answer.

0 Karma

alastairsin
Engager

the token $Farm$ in the subsearch does not contain the selected value and so my subsearch is essentially running this:

[|inputlookup append=t farm_consumer_grid|search GRID_FARM_NAME="" |return CLUSTER_NAME,CONSUMER_NAME]

And this returns all values rather than specific values for CLUSTER_NAME and CONSUMER_NAME. The intention of the subsearch is to return this "CLUSTER_NAME=cluster_value CONSUMER_NAME=consumer_value" based on $Farm$ in a lookup table.

0 Karma

somesoni2
Revered Legend

Any specific issue you're getting?

0 Karma

alastairsin
Engager

I have just posted it. Thanks in advance

0 Karma

alastairsin
Engager

Here is my code for dropdown and search:

<input type="dropdown" token="Farm">
  <label>Select Farm</label>
     <populatingSearch fieldForValue="GRID_FARM_NAME" fieldForLabel="FARM_NAME">
                  <![CDATA[ | inputlookup farm_consumer_grid ]]>
     </populatingSearch>
</input>

<row>
<chart>
  <title>Consumer Demand vs Allocation</title>
  <searchString>sourcetype="Grid-Symphony:consumer_demand" [|inputlookup append=t farm_consumer_grid|search GRID_FARM_NAME=$Farm$ |return CLUSTER_NAME,CONSUMER_NAME] |timechart span=5min sum(USED) as Allocation, sum(MAX_REQUESTED) as Demand</searchString>
  <option name="charting.chart">line</option>
  <option name="charting.legend.placement">bottom</option>
  <option name="count">10</option>
  <option name="displayRowNumbers">true</option>
</chart>

0 Karma

alastairsin
Engager

Using the token within double quotes fixed the problem. Thank you @somesoni2! 🙂

0 Karma

alastairsin
Engager

Hi @dfoster_splunk, do you have an update on this? Thanks in advance.

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

Thanks. I took a brief look this morning, and I think there might be a bug that is keeping this from working. Will try to give you another update later this week when I have more bandwidth.

0 Karma

Chintan_m
Explorer

Hello @dfoster_splunk ,

I am facing a similar issue.

In my case I am using token defined by one dropdown in an append subsearch of another dropdown. Below is my query for the 2nd dropdown.

I have highlighted token usage in orange colour.

<query>
<![CDATA[index=myaccount_db $environment$ $company_code$ NOT SALESORG="NL20"
| fillnull COMPANY_CD,SALESORG value="NULL"
| eval COMPANY_CD=case(COMPANY_CD=="NULL" AND match(INVOICE_NUMBER,"INV.*"),"US30",COMPANY_CD=="NULL","US10",1=1,COMPANY_CD)
| eval SALESORG=case(SALESORG=="NULL" AND COMPANY_CD="US30","US30",SALESORG=="NULL" AND COMPANY_CD="US10","US11",1=1,SALESORG)
| stats count by SALESORG
| eval SALESORG_FILTER="SALESORG=\"".SALESORG."\"" | eval description=case(SALESORG=="US10","US10 - United States, TAA Publishing/Legal",SALESORG=="US11","US11 - United States, TAA Software",SALESORG=="US12","US12 - United States, Legal",SALESORG=="AU10","AU10 - Australia, Tax and Accounting",SALESORG=="WKFS","WKFS - Compliance Services",SALESORG=="NL20","NL20 - KLI - Netherlands",SALESORG=="NZ10","NZ10 - New Zealand, Tax and Accounting",SALESORG=="US30","US30 - United States, Professional")
| stats dc(SALESORG) as ALL values(SALESORG_FILTER) as SALESORG_FILTER1
| eval description=if(ALL > 1,"ALL","NO")
| search description="ALL"
| eval SALESORG_FILTER = mvjoin(SALESORG_FILTER1, " OR ")
| append
[
search index=myaccount_db "$environment$" "$company_code$" NOT SALESORG="NL20"
| fillnull COMPANY_CD,SALESORG value="NULL"
| eval COMPANY_CD=case(COMPANY_CD=="NULL" AND match(INVOICE_NUMBER,"INV.*"),"US30",COMPANY_CD=="NULL","US10",1=1,COMPANY_CD)
| eval SALESORG=case(SALESORG=="NULL" AND COMPANY_CD="US30","US30",SALESORG=="NULL" AND COMPANY_CD="US10","US11",1=1,SALESORG)
| stats count by SALESORG
| eval SALESORG_FILTER="SALESORG=\"".SALESORG."\"" | eval description=case(SALESORG=="US10","US10 - United States, TAA Publishing/Legal",SALESORG=="US11","US11 - United States, TAA Software",SALESORG=="US12","US12 - United States, Legal",SALESORG=="AU10","AU10 - Australia, Tax and Accounting",SALESORG=="WKFS","WKFS - Compliance Services",SALESORG=="NL20","NL20 - KLI - Netherlands",SALESORG=="NZ10","NZ10 - New Zealand, Tax and Accounting",SALESORG=="US30","US30 - United States, Professional")
]
| sort description]]>
</query>

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

Could you please post your dashboard code?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...