Re: Multisearch not doing what I expect

dimigs · ‎03-18-2022

The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I wanted to use multi-search to coalesce the results of 4 different searches. So that if the scope was site, only the results from the site search would be shown.

Actual Search:

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search $request_type_token$ | where "$scope_token$" == "request_type" ] [search $request_type_token$ $site_token$ | where "$scope_token$" == "site"] [search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"] [search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"] | timechart cont=FALSE span=$span_token$ sum(success) by request_type

Search after token substitution with literal values.

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search request_type="*" | where "site" == "request_type" ] [search request_type="*" site="RTP" | where "site" == "site"] [search request_type="*" site="RTP" zone="*" | where "site" == "zone"] [search scope=site request_type="*" site="RTP" zone="*" cluster="*" | where "site" == "cluster"] | timechart cont=FALSE span=hour sum(success) by request_type

BUT ... the results of this query are equivalent to no search at all and I basically do not filter anything.

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | timechart cont=FALSE span=hour sum(success) by request_type

This query and the one above give the same result. What am I missing here? When I execute each part of the multi-search separately, the results are correct. I get empty results for all but the 'where "site" == "site"' search. But when I run the whole query I get no filtering at all. Help!

dimigs · ‎03-19-2022

Really frustrating. That is 3 tries and none work.

dimigs · ‎03-19-2022

So i tried this:

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | search $search_string_token$ | timechart cont=FALSE span=$span_token$ sum(success) by request_type

Then I used my Scope dropdown to define the search_string_token.

Static Options:

request_type: request_type=*

site: request_type=* site=*

zone: request_type=* site=* zone=*

cluster: request_type=* site=* zone=* cluster=*

That actually works. BUT I don't really want just "*" there, I want the input value from another token.

Static Options:

request_type: $request_type_token$

site: $request_type_token$ $site_token$

zone: $request_type_token$ $site_token$ $zone_token$

cluster: $request_type_token$ $site_token$ $zone_token$ $cluster_token$

That does not work. All I get is the string "$request_type_token$" in the search and not the token value.

index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | search $request_type_token$ | timechart cont=FALSE span=hour sum(success) by request_type

dimigs · ‎03-19-2022

How do I do this in just spl? What is the mvindex and random?

ITWhisperer · ‎03-19-2022

mvindex and random are just setting up some dummy data for the runanywhere example to work.

Try this (I have added some dropdowns for the request type, site, zone and cluster tokens as well)

  <row>
    <panel>
      <input token="request_type" type="dropdown">
        <label>Select request type</label>
        <choice value="Request type A">A</choice>
        <choice value="Request type B">B</choice>
        <choice value="Request type C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="site" type="dropdown">
        <label>Select site</label>
        <choice value="Site A">A</choice>
        <choice value="Site B">B</choice>
        <choice value="Site C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="zone" type="dropdown">
        <label>Select zone</label>
        <choice value="Zone A">A</choice>
        <choice value="Zone B">B</choice>
        <choice value="Zone C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="cluster" type="dropdown">
        <label>Select cluster</label>
        <choice value="Cluster A">A</choice>
        <choice value="Cluster B">B</choice>
        <choice value="Cluster C">C</choice>
        <choice value="*">Any</choice>
        <default>*</default>
      </input>
      <input token="scope_choice" type="dropdown">
        <label>Select scope</label>
        <choice value="request_type">request type</choice>
        <choice value="site">site</choice>
        <choice value="zone">zone</choice>
        <choice value="cluster">cluster</choice>
        <default>request_type</default>
        <change>
          <condition value="request_type">
            <set token="scope">request_type=$request_type|s$</set>
          </condition>
          <condition value="site">
            <set token="scope">request_type=$request_type|s$ site=$site|s$</set>
          </condition>
          <condition value="zone">
            <set token="scope">request_type=$request_type|s$ site=$site|s$ zone=$zone|s$</set>
          </condition>
          <condition value="cluster">
            <set token="scope">request_type=$request_type|s$ site=$site|s$ zone=$zone|s$ cluster=$cluster|s$</set>
          </condition>
        </change>
      </input>
      <table>
        <search>
          <query>
| makeresults count=100
| eval request_type="Request type ".mvindex(split("ABC",""),random()%4)
| eval site="Site ".mvindex(split("ABC",""),random()%4)
| eval zone="Zone ".mvindex(split("ABC",""),random()%4)
| eval cluster="Cluster ".mvindex(split("ABC",""),random()%4)
| search $scope$
          </query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

dimigs · ‎03-18-2022

I want to do this.

If scope == 'request':

search request_type="*"

elif scope == 'site':

search request_type="*" site=*

scope == 'zone':

search request_type="*" site=* zone=*

scope == 'cluster':

search request_type="*" site=* zone=* cluster=*

And I just can't make it happen

ITWhisperer · ‎03-19-2022

Change your dropdown so that the values represent the search you want to do. Here is a runanywhere example:

  <row>
    <panel>
      <input token="scope" type="dropdown">
        <label>Select scope</label>
        <choice value="request_type=&quot;*&quot;">request</choice>
        <choice value="request_type=&quot;*&quot; site=&quot;*&quot;">site</choice>
        <choice value="request_type=&quot;*&quot; site=&quot;*&quot; zone=&quot;*&quot;">zone</choice>
        <choice value="request_type=&quot;*&quot; site=&quot;*&quot; zone=&quot;*&quot; cluster=&quot;*&quot;">cluster</choice>
        <default>request_type="*"</default>
      </input>
      <table>
        <search>
          <query>
| makeresults count=100
| eval request_type="Request type ".mvindex(split("ABC",""),random()%4)
| eval site="Site ".mvindex(split("ABC",""),random()%4)
| eval zone="Zone ".mvindex(split("ABC",""),random()%4)
| eval cluster="Cluster ".mvindex(split("ABC",""),random()%4)
| search $scope$
          </query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

How do I fix this multisearch that is acting unexpectedly

other

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM