2

I want to do this.

If scope == 'request':

    search request_type=*

elif scope == 'site':

    search request_type=* site=*

scope == 'zone':

    search request_type=* site=* zone=*

scope == 'cluster':

    search request_type=* site=* zone=* cluster=*

And I just can't make it happen. Why is this so hard? I tried a gen'ing up a search string. I tried a multisearch. I don't want charts per scope type. That is ugly. I can't do something like this:

eval search_string="request_type=* site=* zone=* cluster=*" | search $search_string$

I also tried a conditional multi-search. I get no filtering from that.

| multisearch 
    [search $request_type_token$ | where "$scope_token$" == "request_type" ] 
    [search $request_type_token$ $site_token$ | where "$scope_token$" == "site"] 
    [search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"] 
    [search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"]
Stephen Dimig
  • 33
  • 1
  • 5

2 Answers2

1

multisearch is not the right approach as it will run all 4 searches simultaneously.

You should be able to build the search string in a subsearch something like this:

index=foo request_type=* [| makeresults 
  | eval search=case($token$="site","site=*", 
                     $token$="zone", "site=* zone=*", 
                     $token$="cluster", "site=* zone=* cluster=*", 
                     1==1, "") 
  | fields search]

The subsearch evaluates the token and sets the search string based on the selected value. The 1==1 case catches any unexpected values.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • How is "search" ever evaluated here? I need something equivalent of search site=$site_token$ zone=$zone_token$ cluster=$cluster_token$ to be executed – Stephen Dimig Mar 21 '22 at 12:00
  • I see examples where people take that search string and make a token out of it in xml. – Stephen Dimig Mar 21 '22 at 12:04
  • $row.Search_String$ – Stephen Dimig Mar 21 '22 at 12:04
  • But I am using an old-style dashboard and do not have that. I can't find any spl command to create a token – Stephen Dimig Mar 21 '22 at 12:05
  • The `search` field is evaluated automatically when the subsearch completes. Run the subsearch by itself to see what it returns. That result is added to the main search and executed. – RichG Mar 21 '22 at 12:15
  • There are no SPL commands to create tokens. Tokens are created using Simple XML, which every "old style" dashboard has. The `$row.Search_String$` construct requires a completed search (it's what `row` references). – RichG Mar 21 '22 at 12:19
1

Since this is taking place on a dashboard (else you wouldn't have tokens), you may be best-off building the possible searches into separate panels, and only displaying the one you choose by using the depends="$token$" option on each panel - using a conditional eval when a dropdown item is chosen

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML

warren
  • 32,620
  • 21
  • 85
  • 124