Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to use two base searches in one post-processing search?

krdo
Communicator
‎04-18-2016 11:53 PM

I have a dashboard similar to this one:

<form>
  <label>Multiple Base Searches</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="selectedHost" searchWhenChanged="true">
      <label>Host</label>
      <search base="statsBase"></search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
    </input>
  </fieldset>
  <search id="timechartBase">
    <query>
      index=_internal 
      | eval count = 1
      | timechart per_minute(count) as rate 
                  by host
    </query>
    <earliest>-10m@m</earliest>
    <latest>@m</latest>
  </search>
  <search id="statsBase">
    <query>
      index=_internal 
      | stats count as count by host
      | addinfo
      | eval rate=count * 60 / (info_max_time - info_min_time)
      | fields host rate
    </query>
    <earliest>-20m@m</earliest>
    <latest>-10m@m</latest>
  </search>
  <row>
    <panel>
      <single>
        <title>Baseline</title>
        <search base="statsBase">
          <!-- The value of the "rate" field should replace the hard-coded value "123" -->
          <query>
            where host=$selectedHost|s$
            | fields rate
          </query>
        </search>
      </single>
    </panel>
    <panel>
      <chart>
        <title>Timechart with baseline overlay</title>
        <search base="timechartBase">
          <!-- Here i want to use the value of the "rate" field from the "statsBase" search instead of the hard-coded value 123 -->
          <query>
            fields _time $selectedHost|s$
            | eval baseline = 123
          </query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">baseline</option>
      </chart>
    </panel>
  </row>
</form>

Instead of the hard-coded value "123" in the search "Timechart with baseline overlay", I want to use the rate field which is calculated in the "statsBase" search. I could not find anything suitable in the documentation. Is this even possible?

As I workaround, I tried to use the loadjob command to access the result of the second base search as shown in the code below:

<form>
  <label>Multiple Base Searches</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="selectedHost" searchWhenChanged="true">
      <label>Host</label>
      <search base="statsBase"></search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
    </input>
  </fieldset>
  <search id="timechartBase">
    <query>
      index=_internal 
      | eval count = 1
      | timechart per_minute(count) as rate 
                  by host
    </query>
    <earliest>-10m@m</earliest>
    <latest>@m</latest>
  </search>
  <search id="statsBase">
    <query>
      index=_internal 
      | stats count as count by host
      | addinfo
      | eval rate=count * 60 / (info_max_time - info_min_time)
      | fields host rate
    </query>
    <earliest>-20m@m</earliest>
    <latest>-10m@m</latest>
    <done>
      <!-- Make search results available for loadjob command. -->
      <set token="sid">$job.sid$</set>
    </done>
  </search>
  <row>
    <panel>
      <single>
        <title>Baseline</title>
        <search base="statsBase">
          <query>
            where host=$selectedHost|s$
            | fields rate
          </query>
        </search>
      </single>
    </panel>
    <panel>
      <chart>
        <title>Timechart with baseline overlay</title>
        <search base="timechartBase">
          <!-- Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression -->
          <query>
            fields _time $selectedHost|s$
            | eval [ | loadjob $sid|s$ | where host=$selectedHost|s$ | return baseline=rate ]
          </query>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">baseline</option>
      </chart>
    </panel>
  </row>
</form>

When I open the panel in search using the magnifier icon, the generated search works perfectly however.
I'm on Splunk enterprise 6.3.1 by the way.

Reply

nick405060
Motivator
‎04-09-2019 04:56 PM

See

https://answers.splunk.com/answers/616340/is-it-possible-to-use-base-search-in-append-sub-se.html

Simply append multiple loadjobs for multiple base searches. Also see:

https://answers.splunk.com/answers/738095/dashboard-search-optimization-only-run-searches-wh.html

0 Karma
Reply

sundareshr
Legend
‎04-19-2016 07:01 AM

Have you tried include the rate calculation in the subsearch? Something like this...

eval rate=123
| fields host rate
| where host=$selectedHost|s$
| fields rate

AND

eval rate=count * 60 / (info_max_time - info_min_time)
| fields host rate
| where host=$selectedHost|s$
| fields rate
0 Karma
Reply

krdo
Communicator
‎04-19-2016 11:18 PM

Thanks for you reply - the example above is fairly simple and it would be no problem to do this. But my actual searches are fare more complex and take some time to execute. Hence I wanted to avoid running the two base searches more than once. The solution you suggested would execute the rate calculation base search each time the user selects a different host.

0 Karma
Reply

sundareshr
Legend
‎04-20-2016 05:50 AM

There are couple of options

1) move the | where host=$selectedHost|s$ to before eval rate=123 command. This way you are calculating rate only for the one event.

2) Create to variables in your base search and use them accordingly in your sub-searches. Something variablerate and fixedrate, so then in your subsearch you could use fields host fixedrate or fields host variablerate

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...