Dashboards & Visualizations

Tokens: Why is the search element with depends attribute not working?

tschwitt
New Member

I am trying to define a chained search where filters are applied if the corresponding token is set. But, in the example below, the depends attribute seems not to work as expected. The search is waiting for input as long as fooFilter or barFilter is not set. Splunk Verion is 6.6.8 and according to the doc, the depends attribute should be supported in searches. What did I miss?

<search id="top">
    <query>
      index=a | stats count by foo bar 
    </query>
    <earliest>$globalTimePicker.earliest$</earliest>
    <latest>$globalTimePicker.latest$</latest>
  </search>
  <!-- chained Filters -->
  <search depends="fooFilter" id="filter1" base="top">
    <query>
      where foo=$fooFilter$
    </query>
  </search>
  <search depends="barFilter" id="filter2" base="filter1">
    <query>
      where bar=$barFilter$
    </query>
  </search>
  <search id="baseSearch" base="filter2">
    <query>
      sort -count
    </query>
  </search>
Tags (2)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@tschwitt,

Can you try below run anywhere example and see if it works according to your requirement? If it does not work, please let's know in the dashboard which search is waiting for both tokens

<form>
  <search id="top">
    <query>|makeresults  |eval x="Foo_A,Foo_B",y="Bar_A,Bar_B"|makemv delim="," x| makemv delim="," y|eval z=mvzip(x,y)|fields _time,z|mvexpand z|eval s=split(z,",")
|eval Foo=mvindex(s,0),Bar=mvindex(s,1)|fields _time,Foo,Bar</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="foo">
      <label>Foo</label>
      <choice value="Foo_A">Foo_A</choice>
      <choice value="Foo_B">Foo_B</choice>
    </input>
    <input type="dropdown" token="bar">
      <label>Bar</label>
      <choice value="Bar_A">Bar_A</choice>
      <choice value="Bar_B">Bar_B</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search depends="$foo$" id="filter1" base="top">
          <query>where Foo="$foo$"</query>
        </search>
      </table>
    </panel>
    <panel>
      <table>
        <search depends="$bar$" id="filter2" base="filter1">
          <query>where Bar="$bar$"</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search id="basesearch" base="filter2">
          <query>sort -_time</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>    
  </row>
</form>
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@tschwitt,

Can you try below run anywhere example and see if it works according to your requirement? If it does not work, please let's know in the dashboard which search is waiting for both tokens

<form>
  <search id="top">
    <query>|makeresults  |eval x="Foo_A,Foo_B",y="Bar_A,Bar_B"|makemv delim="," x| makemv delim="," y|eval z=mvzip(x,y)|fields _time,z|mvexpand z|eval s=split(z,",")
|eval Foo=mvindex(s,0),Bar=mvindex(s,1)|fields _time,Foo,Bar</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="foo">
      <label>Foo</label>
      <choice value="Foo_A">Foo_A</choice>
      <choice value="Foo_B">Foo_B</choice>
    </input>
    <input type="dropdown" token="bar">
      <label>Bar</label>
      <choice value="Bar_A">Bar_A</choice>
      <choice value="Bar_B">Bar_B</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search depends="$foo$" id="filter1" base="top">
          <query>where Foo="$foo$"</query>
        </search>
      </table>
    </panel>
    <panel>
      <table>
        <search depends="$bar$" id="filter2" base="filter1">
          <query>where Bar="$bar$"</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search id="basesearch" base="filter2">
          <query>sort -_time</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>    
  </row>
</form>
Happy Splunking!
0 Karma

tschwitt
New Member

@renjith.nair
Thank you for your input. What I try to achieve is a global search "baseSearch" that I use afterwards in different panels showing the result from different perspectives (eg "| top x" in one panel and | top y in an other). The logic to build the baseSearch is as follows:

A generic search (id top in the example) should be appended by filter queries based on the tokens that are set. if no token is set the baseSearch directly appends the topSearch (no filters applied):

index=a | stats count by foo bar | sort -count

If toeken foo is set (eg to foo1) but bar is not set than the baseSearch should look as follows:

index=a | stats count by foo bar | where foo=1 | sort -count

If bar is set (eg to bar1) but foo is not set than the baseSearch should look as follows:

index=a | stats count by foo bar | where bar=bar1 | sort -count

if both are set the baseSearch should look as follows:

index=a | stats count by foo bar | where foo=1 | where bar=bar1 | sort -count
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@tschwitt, Ok, try this . We need to first evaluate if the tokens are set

<form>
  <search id="top">
    <query>|makeresults  |eval x="Foo_A,Foo_B",y="Bar_A,Bar_B"|makemv delim="," x| makemv delim="," y|eval z=mvzip(x,y)|fields _time,z|mvexpand z|eval s=split(z,",")
 |eval Foo=mvindex(s,0),Bar=mvindex(s,1)|fields _time,Foo,Bar</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="foo">
      <label>Foo</label>
      <choice value="Foo_A">Foo_A</choice>
      <choice value="Foo_B">Foo_B</choice>
      <change>
        <eval token="first_token">case(isnull($value$),"",true(),"|where Foo=\"".$foo$."\"")</eval>
      </change>
    </input>
    <input type="dropdown" token="bar">
      <label>Bar</label>
      <choice value="Bar_A">Bar_A</choice>
      <choice value="Bar_B">Bar_B</choice>
      <change>
        <eval token="second_token">case(isnull($value$),"",true(),"|where Bar=\"".$bar$."\"")</eval>
      </change>
    </input>
  </fieldset>
  <search id="basesearch" base="top">
      <query>$first_token$ $second_token$ |sort -_time</query>
  </search>
  <row>
    <panel>
      <table>
        <search base="basesearch">
          <query></query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @tschwitt,

Sorry you're having trouble getting responses to your question. Were you able to solve this on your own? If so, would you mind posting in the answers section what you figured out? I'm sure others are having your same problem.

If the problem is still driving you crazy, you can also check out our Slack channel. There are 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.

You first have to request access through https://splk.it/slack. Fill out the form, and once you receive the
approval email from our Community Manager (the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

Thanks for posting!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...