Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a token in first search and passing it on to append search

Software-Simian
Path Finder
‎10-21-2021 05:08 AM

Hello,

i am trying to create a dependency map without the external creation of tokens that are being fed to the append searches.

Here is the motive:

I have a list of Sources and Targets, where as the Source of one Relation is the Target of many others and so on. This is recursive, but i would stop at 4 iterations for now 😉 )
The resulting table must only have the pairs of Source and Target Services as basis for the visualization.

The first search looks something like this:
index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$
| table Source_Service Target_Service

The initial token is being fed via drilldown from the dashboard. So far no issue at all. So the first search creates the list of Source_Services connected to the Target_Service (token).

Now i have actually two issues...sorry...
First is that i cannot create the table of the pairs and create a token at the same time.

The creation of the token would look something like this:
index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$
| stats values(Source_Service) as results | eval list_of_Source_Services_search_one = mvjoin(results, ",")

So the first issue is how to team them up in one search if possible

The second issue starts once i have the token. The second search would look something like that:
| append [ | search
index=poc_analyze_something_rather Target_Service IN($list_of_Source_Services_Search_one$)
| table Source_Service Target_Service
]

However the first search does not seem to pass the token along into the append search.
It is no issue at all if i make a search in the dashboard (no visualization) like this to create the token:

<search>
  <query>
    index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$
    | stats values(Source_Service) as results | eval source_list= mvjoin(results, ",")
  </query>
  <earliest>-15m</earliest>
  <latest>now</latest>
  <done>
    <set token="list_of_Source_Services_Search_one">$result.source_list$</set>
  </done>
</search>

The append search has no issues at all with this token. However there must be a way to create the list the Source and Targets without resulting to a dashboard with xml coded searches.

Any idea?

Thanks Mike

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2021 06:25 AM

There is no passing of tokens/fields into subsearches in SPL.  The only exception is with the map command.

Sometimes, one can work around this by refactoring the search so the token is created in a subsearch and passed OUT to the main search.  That probably won't work in this case so a dashboard is the way to go.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Software-Simian
Path Finder
‎10-21-2021 06:36 AM

Hi,

thanks for the response.

 

Yes concatinating the search string entirely out of tokens is possible and i already use it for standard charts that only differ in a metric or so...make the code much slimmer. However this would mean that the Visualization search is triggered each time that a sub token is filled or it displays depending on the ofset errors or no results found...However this procedure makes the Visualization rather...flickery as the one append relies of a token from the previous append or main search. So if i have 3 sub searches the charts loads about 3 times just for one search.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2021 06:25 AM

There is no passing of tokens/fields into subsearches in SPL.  The only exception is with the map command.

Sometimes, one can work around this by refactoring the search so the token is created in a subsearch and passed OUT to the main search.  That probably won't work in this case so a dashboard is the way to go.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...