Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use query results from one panel as input to query on another panel on the same Dashboard

nmulm
Explorer
‎10-04-2017 04:01 AM

Hi,

Sorry if I am duplicating question here but I could not find an answer in the other posts that matched my scenario.

So I have a number of inputs on my dashboard and two panels, the first panel results in a multi row table. I wish to use the values from one of the fields as an input to a second panel on the same dashboard. I am not sure if this is possible as I have read cases where only single results are passed in this way, is this correct?

Ideally I would like the first query to be complete before the second attempted to load, and I would like the data from the query1 field I am interested in like this ( val1 OR val2 .....), so I can then use a token to insert it into my second query. I've pasted a cut down version of the Dashboard to help where $results_tok_query1$ equates to ( val1 OR val2 .....) resulting form the first query.

Thanks,
N

<form script="refresh_button.js">
  <label>Transactions</label>
  <description>Filterable means to examine transactions</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="global_time_tok">
      <label>Time</label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" searchWhenChanged="false" token="global_host_tok">
      <label>Select Hosts</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>host=</valuePrefix>
      <delimiter> OR  </delimiter>
      <default>host1</default>
      <choice value="host1">host1</choice>
      <choice value="host2">host2</choice>    
      ..
      <choice value="host10">host10</choice>          
      <initialValue>host1</initialValue>
    </input>
    <input type="dropdown" token="global_duration_tok">
      <label>Completed Transaction Duration (secs)</label>
      <choice value="1">>1</choice>
      <choice value="5">>5</choice>
      <choice value="15">>15</choice>
      <choice value="30">>30</choice>
      <choice value="60">>60</choice>
      <choice value="300">>300</choice>
      <choice value="3600">>3600</choice>
      <default>15</default>
    </input>
    <input type="text" token="global_search_tok" searchWhenChanged="false">
      <label>Freeform Search</label>
      <default> </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Completed Transactions Info</title>
      <table>
        <search>
            <query>
                <my query1 here> |
                table _time Host_JVM MemIdNum Interaction Duration | 
                sort _time
            </query>
          <earliest>$global_time_tok.earliest$</earliest>
          <latest>$global_time_tok.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Completed Transactions Full Log</title>
      <event>
        <search>
            <query>
                <my query2 here $results_tok_query1$ |
                transaction myCid  | 
                where duration&gt;$global_duration_tok$ | search $global_search_tok$ | sort _time
            </query>
          <earliest>$global_time_tok.earliest$</earliest>
          <latest>$global_time_tok.latest$</latest>
        </search>
        <option name="type">list</option>
      </event>
    </panel>
  </row>  
</form>
Reply

DalJeanis
Legend
‎10-04-2017 06:06 AM

Here's the structure that works for me in one dashboard/form.

In the original design, the single search calculated field2 (which was a big chunk of a search) and then ran a map.

In the revised, two-search form, the first search creates the field2, then the second search runs it.

For whatever reason, this is WAY faster than the map version, and as a bonus, you can check the details in the index to see of exactly what the final search language was.

The order of the two panels is not important using simple XML. I put the "first" panel at the bottom because, for my use case, I didn't need to see the output, and in my live dash, not reflected below, the panel stays hidden. (If I recall correctly, when using sideview the order would have to be reversed.) 

<form>
  <fieldset submitButton="true">

    ....various input fields including the one example here...

    <input type="text" token="userfield">
      <label>fieldname of user name field</label>
      <default>user</default>
    </input>

  </fieldset>

  <row>
    <panel depends="$field2$">
      <table>
        <search>
          <query>

   search 2 language here $field2$
   more search language here

          </query>
        </search>
      </table>
    </panel>
  </row>

  <row>
    <panel >
      <table>
        <search>
          <query>

      search language here using input field tokens like $userfield$ 
      more search language that calculates and populates field2
      | table field2

          </query>

          <finalized>
            <set token="field2">$result.field2$</set>
          </finalized>

        </search>
      </table>
    </panel>
  </row>
</form>

NOTE - the above is stripped down to the minimum necessary framework to achieve the result. The working parts are the <finalized> in the first search using the row 1 results to set the token for the second search.

0 Karma
Reply

cmerriman
Super Champion
‎10-04-2017 05:43 AM

I think what you might want to do is use post processing. This is a little bit of a complex post processing, as they're chained together, but i think it might work for what you're doing.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/Savedsearches#Post-process_searches_2

<form script="refresh_button.js">
   <label>Transactions</label>
   <description>Filterable means to examine transactions</description>
   <fieldset submitButton="true" autoRun="true">
     <input type="time" token="global_time_tok">
       <label>Time</label>
       <default>
         <earliest>-4h@m</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="multiselect" searchWhenChanged="false" token="global_host_tok">
       <label>Select Hosts</label>
       <prefix>(</prefix>
       <suffix>)</suffix>
       <valuePrefix>host=</valuePrefix>
       <delimiter> OR  </delimiter>
       <default>host1</default>
       <choice value="host1">host1</choice>
       <choice value="host2">host2</choice>      
       ..
       <choice value="host10">host10</choice>            
       <initialValue>host1</initialValue>
     </input>
     <input type="dropdown" token="global_duration_tok">
       <label>Completed Transaction Duration (secs)</label>
       <choice value="1">>1</choice>
       <choice value="5">>5</choice>
       <choice value="15">>15</choice>
       <choice value="30">>30</choice>
       <choice value="60">>60</choice>
       <choice value="300">>300</choice>
       <choice value="3600">>3600</choice>
       <default>15</default>
     </input>
     <input type="text" token="global_search_tok" searchWhenChanged="false">
       <label>Freeform Search</label>
       <default> </default>
     </input>
   </fieldset>
   <search id="baseSearch">
      <query>
        <my query1 here> |
            table _time Host_JVM MemIdNum Interaction Duration | 
            sort _time
      </query>
        <earliest>$global_time_tok.earliest$</earliest>
        <latest>$global_time_tok.latest$</latest>
    </search>
    <search base="baseSearch" id="subBaseSearch">
      <query>
        |table interestingField|format
      </query>
        <earliest>$global_time_tok.earliest$</earliest>
        <latest>$global_time_tok.latest$</latest>
        <done><set token="results_tok_query1">$results.interestingField$</set></done>
    </search>
   <row>
     <panel>
       <title>Completed Transactions Info</title>
       <table>
         <search base="baseSearch">
             <query>
             </query>
           <earliest>$global_time_tok.earliest$</earliest>
           <latest>$global_time_tok.latest$</latest>
         </search>
       </table>
     </panel>
   </row>
   <row>
     <panel>
       <title>Completed Transactions Full Log</title>
       <event>
         <search>
             <query>
                 <my query2 here $results_tok_query1$ |
                 transaction myCid  | 
                 where duration>$global_duration_tok$ | search $global_search_tok$ | sort _time
             </query>
           <earliest>$global_time_tok.earliest$</earliest>
           <latest>$global_time_tok.latest$</latest>
         </search>
         <option name="type">list</option>
       </event>
     </panel>
   </row>  
 </form>
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top