topic Re: conditional eval ResultsValueSetter in All Apps and Add-ons

conditional eval ResultsValueSetter

sbsbb — Mon, 28 Sep 2020 13:42:58 GMT

I'm trying to do this

You can do this using conditional eval command in the search language to
create one of N different search
language strings, and then a
ResultsValueSetter to pull down that
string-valued field, and plug it into
your search using another Search
module.

I've my main search, and a table
From that table I make a postprocess to build a $varSearch$ with the search String

My Problem is my postprocess seems not to work as desired :
eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")

This gives no results, so I'm not able to use it i the underlying search... ?

Re: conditional eval ResultsValueSetter

sideview — Thu, 11 Apr 2013 17:06:22 GMT

OK. This can work, you just have to see the search expression from splunk's perspective after the $foo$ token gets filled in.

eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")

will go up as

eval varSearch=case(test=="test","AA",H_message_type=="Ctest","ZZ")

This is testing for when the value of the test field is equal to the string test. Change it to

eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")

and what you'll be sending to splunk will look like:

eval varSearch=case("test"=="test","AA",H_message_type=="Ctest","ZZ")

Splunk may raise an eyebrow at your silly behaviour, but it will evaluate the condition to true at least. It's a strange trick but not an uncommon one when all you need is a little conditional help from the search language.

Re: conditional eval ResultsValueSetter

sbsbb — Fri, 12 Apr 2013 04:58:47 GMT

thanks for that.
I have still the problem that a "search eval..." return no row, how can I change this ?

In fact, it is probably the same, as when I want to make an spath on a $foo$ variable, I don't know either how to do it !

Re: conditional eval ResultsValueSetter

sideview — Fri, 12 Apr 2013 05:01:11 GMT

eval is a command, so there has to be a "|" character in front of it. Can you clarify what you mean by "search eval.." It sounds like you're using the search command, which will simply search for these strings and thus return no results.

try this:

| stats count | fields - count | eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")

it looks bizarre because it is. | stats count creates one row with a 'count' field equal to 0. the fields clause then removes the count field leaving a row and thus a blank slate for your eval...

Re: conditional eval ResultsValueSetter

sideview — Fri, 12 Apr 2013 05:03:29 GMT

Again, I acknowledge that this is both weird and kind of silly. I'm working on a simple module to provide this core switching use case, so there will be a better way soon.

Re: conditional eval ResultsValueSetter

sbsbb — Mon, 15 Apr 2013 16:01:21 GMT

Now I understand the meaning of your workaround, many thanks !