Solved: Tokens: Why is the search element with depends att...

tschwitt · ‎08-30-2018

I am trying to define a chained search where filters are applied if the corresponding token is set. But, in the example below, the depends attribute seems not to work as expected. The search is waiting for input as long as fooFilter or barFilter is not set. Splunk Verion is 6.6.8 and according to the doc, the depends attribute should be supported in searches. What did I miss?

<search id="top">
    <query>
      index=a | stats count by foo bar 
    </query>
    <earliest>$globalTimePicker.earliest$</earliest>
    <latest>$globalTimePicker.latest$</latest>
  </search>
  <!-- chained Filters -->
  <search depends="fooFilter" id="filter1" base="top">
    <query>
      where foo=$fooFilter$
    </query>
  </search>
  <search depends="barFilter" id="filter2" base="filter1">
    <query>
      where bar=$barFilter$
    </query>
  </search>
  <search id="baseSearch" base="filter2">
    <query>
      sort -count
    </query>
  </search>

renjith_nair · ‎08-31-2018

@tschwitt,

Can you try below run anywhere example and see if it works according to your requirement? If it does not work, please let's know in the dashboard which search is waiting for both tokens

<form>
  <search id="top">
    <query>|makeresults  |eval x="Foo_A,Foo_B",y="Bar_A,Bar_B"|makemv delim="," x| makemv delim="," y|eval z=mvzip(x,y)|fields _time,z|mvexpand z|eval s=split(z,",")
|eval Foo=mvindex(s,0),Bar=mvindex(s,1)|fields _time,Foo,Bar</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="foo">
      <label>Foo</label>
      <choice value="Foo_A">Foo_A</choice>
      <choice value="Foo_B">Foo_B</choice>
    </input>
    <input type="dropdown" token="bar">
      <label>Bar</label>
      <choice value="Bar_A">Bar_A</choice>
      <choice value="Bar_B">Bar_B</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search depends="$foo$" id="filter1" base="top">
          <query>where Foo="$foo$"</query>
        </search>
      </table>
    </panel>
    <panel>
      <table>
        <search depends="$bar$" id="filter2" base="filter1">
          <query>where Bar="$bar$"</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search id="basesearch" base="filter2">
          <query>sort -_time</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>    
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎08-31-2018

@tschwitt,

Can you try below run anywhere example and see if it works according to your requirement? If it does not work, please let's know in the dashboard which search is waiting for both tokens

<form>
  <search id="top">
    <query>|makeresults  |eval x="Foo_A,Foo_B",y="Bar_A,Bar_B"|makemv delim="," x| makemv delim="," y|eval z=mvzip(x,y)|fields _time,z|mvexpand z|eval s=split(z,",")
|eval Foo=mvindex(s,0),Bar=mvindex(s,1)|fields _time,Foo,Bar</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="foo">
      <label>Foo</label>
      <choice value="Foo_A">Foo_A</choice>
      <choice value="Foo_B">Foo_B</choice>
    </input>
    <input type="dropdown" token="bar">
      <label>Bar</label>
      <choice value="Bar_A">Bar_A</choice>
      <choice value="Bar_B">Bar_B</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search depends="$foo$" id="filter1" base="top">
          <query>where Foo="$foo$"</query>
        </search>
      </table>
    </panel>
    <panel>
      <table>
        <search depends="$bar$" id="filter2" base="filter1">
          <query>where Bar="$bar$"</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <search id="basesearch" base="filter2">
          <query>sort -_time</query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>    
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

tschwitt · ‎09-03-2018

@renjith.nair
Thank you for your input. What I try to achieve is a global search "baseSearch" that I use afterwards in different panels showing the result from different perspectives (eg "| top x" in one panel and | top y in an other). The logic to build the baseSearch is as follows:

A generic search (id top in the example) should be appended by filter queries based on the tokens that are set. if no token is set the baseSearch directly appends the topSearch (no filters applied):

index=a | stats count by foo bar | sort -count

If toeken foo is set (eg to foo1) but bar is not set than the baseSearch should look as follows:

index=a | stats count by foo bar | where foo=1 | sort -count

If bar is set (eg to bar1) but foo is not set than the baseSearch should look as follows:

index=a | stats count by foo bar | where bar=bar1 | sort -count

if both are set the baseSearch should look as follows:

index=a | stats count by foo bar | where foo=1 | where bar=bar1 | sort -count

renjith_nair · ‎09-04-2018

@tschwitt, Ok, try this . We need to first evaluate if the tokens are set

<form>
  <search id="top">
    <query>|makeresults  |eval x="Foo_A,Foo_B",y="Bar_A,Bar_B"|makemv delim="," x| makemv delim="," y|eval z=mvzip(x,y)|fields _time,z|mvexpand z|eval s=split(z,",")
 |eval Foo=mvindex(s,0),Bar=mvindex(s,1)|fields _time,Foo,Bar</query>
  </search>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="foo">
      <label>Foo</label>
      <choice value="Foo_A">Foo_A</choice>
      <choice value="Foo_B">Foo_B</choice>
      <change>
        <eval token="first_token">case(isnull($value$),"",true(),"|where Foo=\"".$foo$."\"")</eval>
      </change>
    </input>
    <input type="dropdown" token="bar">
      <label>Bar</label>
      <choice value="Bar_A">Bar_A</choice>
      <choice value="Bar_B">Bar_B</choice>
      <change>
        <eval token="second_token">case(isnull($value$),"",true(),"|where Bar=\"".$bar$."\"")</eval>
      </change>
    </input>
  </fieldset>
  <search id="basesearch" base="top">
      <query>$first_token$ $second_token$ |sort -_time</query>
  </search>
  <row>
    <panel>
      <table>
        <search base="basesearch">
          <query></query>
        </search>
        <option name="count">10</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

mstjohn_splunk · ‎08-31-2018

hi @tschwitt,

Sorry you're having trouble getting responses to your question. Were you able to solve this on your own? If so, would you mind posting in the answers section what you figured out? I'm sure others are having your same problem.

If the problem is still driving you crazy, you can also check out our Slack channel. There are 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.

You first have to request access through https://splk.it/slack. Fill out the form, and once you receive the
approval email from our Community Manager (the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

Thanks for posting!

Tokens: Why is the search element with depends attribute not working?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!