https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362460#M66078 <P>Thanks a lot! Tried the first query and it worked!</P> Thu, 04 May 2017 12:21:15 GMT andreigro 2017-05-04T12:21:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362458#M66076 <P>Hi guys, I'm new to splunk and I have one issue with filtering my search results based on a case condition<BR /> My search string:<BR /> sourcetype="WMI:CPUTime" | eval selected_host=case("$ddl_instance$" == "a", "Server1", "$ddl_instance$" == "b", "Server2", "$ddl_instance$" == "c", "Server3") | timechart span=1d eval(round(avg(PercentProcessorTime),1)) by host limit=20</P> <P>I now I need to filter this based on the field named <STRONG>host</STRONG>=selected_host</P> <P>It doesn't sound very complex but I cannot make it work.<BR /> Thank you,<BR /> Andrei</P> Tue, 29 Sep 2020 13:56:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362458#M66076 andreigro 2020-09-29T13:56:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362459#M66077 <P>Try one of these.</P> <PRE><CODE>sourcetype="WMI:CPUTime" | eval selected_host=case("$ddl_instance$" == "a", "Server1", "$ddl_instance$" == "b", "Server2", "$ddl_instance$" == "c", "Server3") | where host=selected_host | timechart span=1d eval(round(avg(PercentProcessorTime),1)) by host limit=20 sourcetype="WMI:CPUTime" | where host=case("$ddl_instance$" == "a", "Server1", "$ddl_instance$" == "b", "Server2", "$ddl_instance$" == "c", "Server3") | timechart span=1d eval(round(avg(PercentProcessorTime),1)) by host limit=20 </CODE></PRE> Thu, 04 May 2017 12:18:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362459#M66077 richgalloway 2017-05-04T12:18:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362460#M66078 <P>Thanks a lot! Tried the first query and it worked!</P> Thu, 04 May 2017 12:21:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362460#M66078 andreigro 2017-05-04T12:21:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362461#M66079 <P>May I know how you are setting $ddl_instance$ token? </P> <P>It is most likely that eval can be used to set token at the same place for host directly. That way you will be able to add host in your base query hence resulting in filtering required results upfront rather than later. This should improve your search performance. (<A href="http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_token_filtering_and_formatting">http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_token_filtering_and_formatting</A>)</P> <P>In the current query you can change <STRONG>by host</STRONG> to <CODE>by selected_host</CODE> in your timechart command</P> <PRE><CODE>sourcetype="WMI:CPUTime" | eval selected_host=case("$ddl_instance$" == "a", "Server1", "$ddl_instance$" == "b", "Server2", "$ddl_instance$" == "c", "Server3") | timechart span=1d eval(round(avg(PercentProcessorTime),1)) by selected_host limit=20 </CODE></PRE> Thu, 04 May 2017 12:38:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-search-result-based-on-case-condition/m-p/362461#M66079 niketn 2017-05-04T12:38:09Z