I have a dashboard similar to this one:
<form>
<label>Multiple Base Searches</label>
<fieldset submitButton="false">
<input type="dropdown" token="selectedHost" searchWhenChanged="true">
<label>Host</label>
<search base="statsBase"></search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
</input>
</fieldset>
<search id="timechartBase">
<query>
index=_internal
| eval count = 1
| timechart per_minute(count) as rate
by host
</query>
<earliest>-10m@m</earliest>
<latest>@m</latest>
</search>
<search id="statsBase">
<query>
index=_internal
| stats count as count by host
| addinfo
| eval rate=count * 60 / (info_max_time - info_min_time)
| fields host rate
</query>
<earliest>-20m@m</earliest>
<latest>-10m@m</latest>
</search>
<row>
<panel>
<single>
<title>Baseline</title>
<search base="statsBase">
<!-- The value of the "rate" field should replace the hard-coded value "123" -->
<query>
where host=$selectedHost|s$
| fields rate
</query>
</search>
</single>
</panel>
<panel>
<chart>
<title>Timechart with baseline overlay</title>
<search base="timechartBase">
<!-- Here i want to use the value of the "rate" field from the "statsBase" search instead of the hard-coded value 123 -->
<query>
fields _time $selectedHost|s$
| eval baseline = 123
</query>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">baseline</option>
</chart>
</panel>
</row>
</form>
Instead of the hard-coded value "123" in the search "Timechart with baseline overlay", I want to use the rate field which is calculated in the "statsBase" search. I could not find anything suitable in the documentation. Is this even possible?
As I workaround, I tried to use the loadjob
command to access the result of the second base search as shown in the code below:
<form>
<label>Multiple Base Searches</label>
<fieldset submitButton="false">
<input type="dropdown" token="selectedHost" searchWhenChanged="true">
<label>Host</label>
<search base="statsBase"></search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
</input>
</fieldset>
<search id="timechartBase">
<query>
index=_internal
| eval count = 1
| timechart per_minute(count) as rate
by host
</query>
<earliest>-10m@m</earliest>
<latest>@m</latest>
</search>
<search id="statsBase">
<query>
index=_internal
| stats count as count by host
| addinfo
| eval rate=count * 60 / (info_max_time - info_min_time)
| fields host rate
</query>
<earliest>-20m@m</earliest>
<latest>-10m@m</latest>
<done>
<!-- Make search results available for loadjob command. -->
<set token="sid">$job.sid$</set>
</done>
</search>
<row>
<panel>
<single>
<title>Baseline</title>
<search base="statsBase">
<query>
where host=$selectedHost|s$
| fields rate
</query>
</search>
</single>
</panel>
<panel>
<chart>
<title>Timechart with baseline overlay</title>
<search base="timechartBase">
<!-- Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression -->
<query>
fields _time $selectedHost|s$
| eval [ | loadjob $sid|s$ | where host=$selectedHost|s$ | return baseline=rate ]
</query>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">baseline</option>
</chart>
</panel>
</row>
</form>
When I open the panel in search using the magnifier icon, the generated search works perfectly however.
I'm on Splunk enterprise 6.3.1 by the way.
See
https://answers.splunk.com/answers/616340/is-it-possible-to-use-base-search-in-append-sub-se.html
Simply append multiple loadjobs for multiple base searches. Also see:
https://answers.splunk.com/answers/738095/dashboard-search-optimization-only-run-searches-wh.html
Have you tried include the rate calculation in the subsearch? Something like this...
eval rate=123
| fields host rate
| where host=$selectedHost|s$
| fields rate
AND
eval rate=count * 60 / (info_max_time - info_min_time)
| fields host rate
| where host=$selectedHost|s$
| fields rate
Thanks for you reply - the example above is fairly simple and it would be no problem to do this. But my actual searches are fare more complex and take some time to execute. Hence I wanted to avoid running the two base searches more than once. The solution you suggested would execute the rate calculation base search each time the user selects a different host.
There are couple of options
1) move the | where host=$selectedHost|s$
to before eval rate=123
command. This way you are calculating rate only for the one event.
2) Create to variables in your base search and use them accordingly in your sub-searches. Something variablerate
and fixedrate
, so then in your subsearch you could use fields host fixedrate
or fields host variablerate