Please Help a"search depends" and "search rejects"...

HenryFitzerald · ‎11-25-2018

ISSUE
Hi All I have two-drop down boxes with a 1 –many relationship with tokens “service family” and “feature” as below.
A user chooses a “service_family” & “feature” token used to execute a query as below & result is dependent on the chosen service_family & feature in query with a “lookup” & “Search” etc
index=internal sourcetype=BookWork
| lookup lookup fd$l_service_family_tok$_$l_enter_feature_tok$_map

| search fd_feature=$enter_feature_tok$

Example a user chooses EDH and STMT, service_family=EDH and enter_feature_tok=STMT
l_service_family_tok is just lowercase=”stmt” for query.
But I need to implement a new user choice called ALL so I made a service_family=ALL and feature “*” which produces everything in query theres no need to implement the lookup and search in query as it’s not required.

So when ALL is chosen the query executes
index=_internal sourcetype=BookWork
So issue is how to get a condition to execute part of query => (index=_internal sourcetype=BookWork) when user chooses A
Service_family Feature
EDH STMT
EDH INBOX
EDH STMT
EDH ACCTS
GMM CCA
GMM CIA
GMM RESAVER
HWBT PLA
PWS ALL

New Option =>
ALL *

I thought below would result in a conditional query to execute two queries in same panel and when ALL is chosen execute second query ( index=_internal sourcetype=BookWork)

I thought to set a token called All as true two ll in (All) lowercase as below and *.

      <condition value="ALL">
        <set token="feature_values">*</set>
        <!--set token="feature_values">ALL</set-->
        <set token="All">true</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>

And create 2 search queries for and as below.

<search depends="$All$">
      <title>BookWorks ALL and individual choices events</title>
      <search>
        <query> index=_internal  sourcetype=BookWork </query>
        <earliest>$master_time_span.earliest$</earliest>
        <latest>$master_time_span.latest$</latest>
      </search>
      <option name="charting.chart">column</option>
      <option name="charting.drilldown">none</option>
    </chart>
     <search rejects="$All$">
       <title>BookWorks</title>
       <search>
         <query>
          index=_internal  sourcetype=BookWork 
          | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
          | search fd_feature=$enter_feature_tok$ 
         </query>
  </search>

I do not know how to get it to work and obtained the errors search not allowed etc, I did further reading it says “reject” & “depends” is not an attribute of search trying a chart .

http://docs.splunk.com/Documentation/Splunk/7.2.1/Viz/tokens

CODE

 <form>
 <label>EVENTS-ALL</label>
 <description>Shows  events ALL</description>
 <fieldset submitButton="true" autoRun="false"> 
 <input type="time" token="master_time_span">
    <label>Chart time span</label>
    <default>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </default>
  </input>
  <input type="dropdown" token="service_family_tok" searchWhenChanged="true">
    <label>Choose Service Family:</label>
    <choice value="ALL">ALL</choice>
    <choice value="GMM">GMM</choice>
    <choice value="HWBT">HWBT</choice>
    <choice value="EDH">EDH</choice>
    <choice value="PWS">PWS</choice>
    <default>ALL</default>
    <initialValue>ALL</initialValue>
    <change>
      <condition value="ALL">
        <set token="feature_values">*</set>
        <!--set token="feature_values">ALL</set-->
        <set token="All">true</set>
        <set token="feature_values">*</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="EDH">
        <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="GMM">
        <set token="feature_values">CCA,CIA,REG</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="HWBT">
        <set token="feature_values">PLA</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
      <condition value="PWS">
        <set token="feature_values">ALL</set>
        <unset token="form.enter_feature_tok"></unset>
      </condition>
    </change>
  </input>
  <input type="dropdown" token="enter_feature_tok">
    <label>Choose Feature:</label>
    <fieldForLabel>feature</fieldForLabel>
    <fieldForValue>feature</fieldForValue>
    <search>
      <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
      <earliest>-1s@s</earliest>
      <latest>now</latest>
    </search>
    <change>
      <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
      <eval token="l_enter_feature_tok">lower($value$)</eval>
    </change>
  </input>
  <panel>
    <title>BookWorks</title>
    <chart depends="$All$">
      <title>BookWorks ALL and individual choices events</title>
      <search>
        <query> index=_internal  sourcetype=BookWork </query>
        <earliest>$master_time_span.earliest$</earliest>
        <latest>$master_time_span.latest$</latest>
      </search>
      <option name="charting.chart">column</option>
      <option name="charting.drilldown">none</option>
    </chart>
     <chart rejects="$All$">
       <title>BookWorks</title>
       <search>
         <query>
          index=_internal  sourcetype=BookWork 
          | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
          | search fd_feature=$enter_feature_tok$ 
         </query>
       </search>
       <option name="charting.chart">column</option>
      <option name="charting.drilldown">none</option> 
     </chart>
  </panel>
 </row>
 </form>

Please Help a"search depends" and "search rejects" not working

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...