Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I fix this multisearch that is acting unexpectedly

dimigs
Engager
‎03-18-2022 02:45 PM

The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I wanted to use multi-search to coalesce the results of 4 different searches. So that if the scope was site, only the results from the site search would be shown.

Actual Search:

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search $request_type_token$ | where "$scope_token$" == "request_type" ] [search $request_type_token$ $site_token$ | where "$scope_token$" == "site"] [search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"] [search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"] | timechart cont=FALSE span=$span_token$ sum(success) by request_type

Search after token substitution with literal values.

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search request_type="*" | where "site" == "request_type" ] [search request_type="*" site="RTP" | where "site" == "site"] [search request_type="*" site="RTP" zone="*" | where "site" == "zone"] [search scope=site request_type="*" site="RTP" zone="*" cluster="*" | where "site" == "cluster"] | timechart cont=FALSE span=hour sum(success) by request_type

BUT ... the results of this query are equivalent to no search at all and I basically do not filter anything.

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | timechart cont=FALSE span=hour sum(success) by request_type

This query and the one above give the same result. What am I missing here? When I execute each part of the multi-search separately, the results are correct. I get empty results for all but the 'where "site" == "site"' search. But when I run the whole query I get no filtering at all. Help!

Tags (1)
0 Karma
Reply

dimigs
Engager
‎03-19-2022 07:25 AM

Really frustrating. That is 3 tries and none work.

0 Karma
Reply

dimigs
Engager
‎03-19-2022 07:24 AM

So i tried this:

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | search $search_string_token$ | timechart cont=FALSE span=$span_token$ sum(success) by request_type

Then I used my Scope dropdown to define the search_string_token.

Static Options:

  request_type: request_type=*

  site: request_type=* site=*

  zone: request_type=* site=* zone=*

  cluster: request_type=* site=* zone=* cluster=*

That actually works. BUT I don't really want just "*" there, I want the input value from another token.

Static Options:

  request_type: $request_type_token$

  site: $request_type_token$ $site_token$

  zone: $request_type_token$ $site_token$ $zone_token$

  cluster: $request_type_token$ $site_token$ $zone_token$ $cluster_token$

That does not work. All I get is the string  "$request_type_token$" in the search and not the token value.

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | search $request_type_token$ | timechart cont=FALSE span=hour sum(success) by request_type

0 Karma
Reply

dimigs
Engager
‎03-19-2022 07:04 AM

How do I do this in just spl? What is the mvindex and random?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2022 12:57 PM

mvindex and random are just setting up some dummy data for the runanywhere example to work.

Try this (I have added some dropdowns for the request type, site, zone and cluster tokens as well)

  <row>
    <panel>
      <input token="request_type" type="dropdown">
        <label>Select request type</label>
        <choice value="Request type A">A</choice>
        <choice value="Request type B">B</choice>
        <choice value="Request type C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="site" type="dropdown">
        <label>Select site</label>
        <choice value="Site A">A</choice>
        <choice value="Site B">B</choice>
        <choice value="Site C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="zone" type="dropdown">
        <label>Select zone</label>
        <choice value="Zone A">A</choice>
        <choice value="Zone B">B</choice>
        <choice value="Zone C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="cluster" type="dropdown">
        <label>Select cluster</label>
        <choice value="Cluster A">A</choice>
        <choice value="Cluster B">B</choice>
        <choice value="Cluster C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="scope_choice" type="dropdown">
        <label>Select scope</label>
        <choice value="request_type">request type</choice>
        <choice value="site">site</choice>
        <choice value="zone">zone</choice>
        <choice value="cluster">cluster</choice>
        <default>request_type</default>
        <change>
          <condition value="request_type">
            <set token="scope">request_type=$request_type|s$</set>
          </condition>
          <condition value="site">
            <set token="scope">request_type=$request_type|s$ site=$site|s$</set>
          </condition>
          <condition value="zone">
            <set token="scope">request_type=$request_type|s$ site=$site|s$ zone=$zone|s$</set>
          </condition>
          <condition value="cluster">
            <set token="scope">request_type=$request_type|s$ site=$site|s$ zone=$zone|s$ cluster=$cluster|s$</set>
          </condition>
        </change>
      </input>
      <table>
        <search>
          <query>
| makeresults count=100
| eval request_type="Request type ".mvindex(split("ABC",""),random()%4)
| eval site="Site ".mvindex(split("ABC",""),random()%4)
| eval zone="Zone ".mvindex(split("ABC",""),random()%4)
| eval cluster="Cluster ".mvindex(split("ABC",""),random()%4)
| search $scope$
          </query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
Reply

dimigs
Engager
‎03-18-2022 04:28 PM

I want to do this.

If scope == 'request':

    search request_type="*"

elif scope == 'site':

    search request_type="*" site=*

scope == 'zone':

    search request_type="*" site=* zone=*

scope == 'cluster':

    search request_type="*" site=* zone=* cluster=*

And I just can't make it happen

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2022 12:43 AM

Change your dropdown so that the values represent the search you want to do. Here is a runanywhere example:

  <row>
    <panel>
      <input token="scope" type="dropdown">
        <label>Select scope</label>
        <choice value="request_type=&quot;*&quot;">request</choice>
        <choice value="request_type=&quot;*&quot; site=&quot;*&quot;">site</choice>
        <choice value="request_type=&quot;*&quot; site=&quot;*&quot; zone=&quot;*&quot;">zone</choice>
        <choice value="request_type=&quot;*&quot; site=&quot;*&quot; zone=&quot;*&quot; cluster=&quot;*&quot;">cluster</choice>
        <default>request_type="*"</default>
      </input>
      <table>
        <search>
          <query>
| makeresults count=100
| eval request_type="Request type ".mvindex(split("ABC",""),random()%4)
| eval site="Site ".mvindex(split("ABC",""),random()%4)
| eval zone="Zone ".mvindex(split("ABC",""),random()%4)
| eval cluster="Cluster ".mvindex(split("ABC",""),random()%4)
| search $scope$
          </query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...