Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are "search depends" and "search rejects" not working?

HenryFitzerald
New Member
‎11-25-2018 02:02 AM

ISSUE
I have two-drop down boxes with a 1 –many relationship with tokens “service family” and “feature” as below.

A user chooses a “service_family” & “feature” token used to execute a query as below & the result is dependent on the chosen service_family & feature in query with a “lookup” & “Search” etc

         index=_internal  sourcetype=BookWork 
         | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
         | search fd_feature=$enter_feature_tok$

Example: a user chooses EDH and STMT, service_family=EDH and enter_feature_tok=STMT
l_service_family_tok is just lowercase=”stmt” for query.

But I need to implement a new user choice called ALL, so I made a service_family=ALL and feature “*”, which produces everything in the query. There's no need to implement the lookup and search in the query as it’s not required.

So when ALL is chosen the query executes 

index=_internal  sourcetype=BookWork

So the issue is how do I get a condition to execute part of the query => (index=_internal sourcetype=BookWork) when the user chooses ALL and *?

Service_family             Feature
EDH                                STMT
EDH                                INBOX
EDH                                STMT
EDH                                ACCTS
GMM                              CCA
GMM                              CIA
GMM                              RESAVER
HWBT                              PLA
PWS                                 ALL

New Option =>
ALL                                   *

I thought below would result in a conditional query to execute two queries in the same panel, and when ALL is chosen, execute the second query ( index=_internal sourcetype=BookWork)

I thought to set a token called All as true, two ll in (All) lowercase as below

     <condition value="ALL">
       <set token="feature_values">*</set>
       <!--set token="feature_values">ALL</set-->
       <set token="All">true</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>

And create 2 search queries for and as below.

<search depends="$All$">
     <title>BookWorks ALL and individual choices events</title>
     <search>
       <query> index=_internal  sourcetype=BookWork </query>
       <earliest>$master_time_span.earliest$</earliest>
       <latest>$master_time_span.latest$</latest>
     </search>
     <option name="charting.chart">column</option>
     <option name="charting.drilldown">none</option>
   </chart>
    <search rejects="$All$">
      <title>BookWorks</title>
      <search>
        <query>
         index=_internal  sourcetype=BookWork 
         | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
         | search fd_feature=$enter_feature_tok$ 
        </query>
 </search>

I do not know how to get it to work, and I obtained the errors search not allowed etc. I did further reading that says “reject” & “depends” is not an attribute of search trying a chart .

http://docs.splunk.com/Documentation/Splunk/7.2.1/Viz/tokens

and elements to set the token values that these attributes consume.








CODE

<form>
<label>EVENTS-ALL</label>
<description>Shows  events ALL</description>
<fieldset submitButton="true" autoRun="false"> 
<input type="time" token="master_time_span">
   <label>Chart time span</label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
 <input type="dropdown" token="service_family_tok" searchWhenChanged="true">
   <label>Choose Service Family:</label>
   <choice value="ALL">ALL</choice>
   <choice value="GMM">GMM</choice>
   <choice value="HWBT">HWBT</choice>
   <choice value="EDH">EDH</choice>
   <choice value="PWS">PWS</choice>
   <default>ALL</default>
   <initialValue>ALL</initialValue>
   <change>
     <condition value="ALL">
       <set token="feature_values">*</set>
       <!--set token="feature_values">ALL</set-->
       <set token="All">true</set>
       <set token="feature_values">*</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
     <condition value="EDH">
       <set token="feature_values">MANACCS,INBOX,STMT,ACTS</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
     <condition value="GMM">
       <set token="feature_values">CCA,CIA,REG</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
     <condition value="HWBT">
       <set token="feature_values">PLA</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
     <condition value="PWS">
       <set token="feature_values">ALL</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
   </change>
 </input>
 <input type="dropdown" token="enter_feature_tok">
   <label>Choose Feature:</label>
   <fieldForLabel>feature</fieldForLabel>
   <fieldForValue>feature</fieldForValue>
   <search>
     <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
     <earliest>-1s@s</earliest>
     <latest>now</latest>
   </search>
   <change>
     <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
     <eval token="l_enter_feature_tok">lower($value$)</eval>
   </change>
 </input>
 <panel>
   <title>BookWorks</title>
   <chart depends="$All$">
     <title>BookWorks ALL and individual choices events</title>
     <search>
       <query> index=_internal  sourcetype=BookWork </query>
       <earliest>$master_time_span.earliest$</earliest>
       <latest>$master_time_span.latest$</latest>
     </search>
     <option name="charting.chart">column</option>
     <option name="charting.drilldown">none</option>
   </chart>
    <chart rejects="$All$">
      <title>BookWorks</title>
      <search>
        <query>
         index=_internal  sourcetype=BookWork 
         | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
         | search fd_feature=$enter_feature_tok$ 
        </query>
      </search>
      <option name="charting.chart">column</option>
     <option name="charting.drilldown">none</option> 
    </chart>
 </panel>
</row>
</form>

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎11-27-2018 09:15 AM

Hey man,

If I get you right you have one lookup for each service right ?

  index=_internal  sourcetype=BookWork 
  | lookup lookup fd_$l_service_family_tok$_$l_enter_feature_tok$_map  
  | search fd_feature=$enter_feature_tok$

If that's the case go ahead and make a lookup including all features called fd_all_all_map with all your options in it. That way you don't have to complicate things and you can still use your logic with both tokens equal to all.

In case you wish to stick with your current xml and based on https://answers.splunk.com/answers/702614/please-help-search-depends-and-search-rejects-not.html you're missing a the query closing tag:

<search depends="$All$">
 <query>
   index=_internal  sourcetype=BookWork  **</query>**
 </search>

And Last thing you will also need a default condition to unset you "All" token when it's any choice other than all. It should look something like this for you :

   <input type="dropdown" token="field1">
      <label>field1</label>
      <choice value="1">A</choice>
      <choice value="2">B</choice>
      <choice value="3">C</choice>
      <choice value="All">Test</choice>
      <change>
        <condition value="All">
          <set token="All">true</set>
        </condition>
        <condition>
          <unset token="All"></unset>
        </condition>
      </change>
    </input>

Let me know if that helps.

Cheers,
David

0 Karma
Reply

HenryFitzerald
New Member
‎12-01-2018 02:54 AM

Hi David,
Thanks for input "depends" and "rejects" does not seem an attribute of search so I used

0 Karma
Reply

DavidHourani
Super Champion
‎12-01-2018 03:59 AM

yeah you're right ^^ It's supposed to be applied on etc.. check here : http://docs.splunk.com/Documentation/Splunk/7.2.1/Viz/tokens

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...