Dashboards & Visualizations

I want to pass multivalue from one serach result to another search result

0waste_splunk
Communicator

Hi,

I am trying to create a report using couple of searchTemplates. I want to pass one serachTempleates result to 2nd serachTemplate. 1st search might result in single value or multivalue. now using this/these value from 1st Search, I want pass these value to 2nd search which will bring more detail about that value. 2nd search is searching another index.

Like 1st result gives you following result
Number count
123 2
4353 1
039425 6

Now i want to pass this 123, 4353 and 039425 to 2nd search which will get more detail about 123, 4353 and 039425.

I don't know before hand that how many line will be displayed after 1st result's execution.

Tags (2)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The normal way to do this in Splunk would be to use a subsearch.

<your search terms> [search <some_terms_to_get_the_123_4353_results> | fields Number]

the square brackets effectively would become Number=123 OR Number=4353 OR Number=039425

But to display both results in the same Simple XML dashboard you would have to basically get the same events off twice. You'd run one search to get the first search results, and then a second search that re-runs the first search as a subsearch.

With Sideview Utils you have more flexibility, although it would require moving to the Advanced XML ( watch this 10min screencast if you're dubious. ) . In a PostProcess module hanging off of your first search result, you can use Splunk's format search command manually to create the string Number=123 OR Number=4353 OR Number=039425 as a field value, then use the Sideview ResultsValueSetter module to pull down that string and make it available as a simple $foo$ token, usable by other modules. Then you can plug that $foo$ token into a downstream search, and you can then display both sets of results without actually getting any events off disk twice.

And an advanced direction to consider, is to use the Sideview Multiplexer module. With Multiplexer, even though you don't know how many rows your first search will have, you can have the Multiplexer basically display a paginated Table for each of those Number values, or a Chart, or some HTML and a Chart... etc...

for more info and tons of docs and working examples, download Sideview Utils and read through the embedded docs and examples pages. http://sideviewapps.com/apps/sideview-utils

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

The normal way to do this in Splunk would be to use a subsearch.

<your search terms> [search <some_terms_to_get_the_123_4353_results> | fields Number]

the square brackets effectively would become Number=123 OR Number=4353 OR Number=039425

But to display both results in the same Simple XML dashboard you would have to basically get the same events off twice. You'd run one search to get the first search results, and then a second search that re-runs the first search as a subsearch.

With Sideview Utils you have more flexibility, although it would require moving to the Advanced XML ( watch this 10min screencast if you're dubious. ) . In a PostProcess module hanging off of your first search result, you can use Splunk's format search command manually to create the string Number=123 OR Number=4353 OR Number=039425 as a field value, then use the Sideview ResultsValueSetter module to pull down that string and make it available as a simple $foo$ token, usable by other modules. Then you can plug that $foo$ token into a downstream search, and you can then display both sets of results without actually getting any events off disk twice.

And an advanced direction to consider, is to use the Sideview Multiplexer module. With Multiplexer, even though you don't know how many rows your first search will have, you can have the Multiplexer basically display a paginated Table for each of those Number values, or a Chart, or some HTML and a Chart... etc...

for more info and tons of docs and working examples, download Sideview Utils and read through the embedded docs and examples pages. http://sideviewapps.com/apps/sideview-utils

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...