topic Re: Nested eval command in search in Splunk Search

Nested eval command in search

AKG1_old1 — Wed, 08 Nov 2017 15:53:01 GMT

Hi,

I have to use nested eval command in my search query.

Requirement:

if isnotnull(GC_TIMESTAMP) then
set _time = GC_TIMESTAMP
else if ($Log_or_live$=="Log")
set _time = $mlc_log_start_time$ + relative_time
else
set _time = _time

I tried to make it working but its malformed. Please help to correct syntax.

eval _time=if(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP,(if($Log_or_live$=="Log"),$mlc_log_start_time$ + relative_time,_time)))

Re: Nested eval command in search

somesoni2 — Wed, 08 Nov 2017 15:58:52 GMT

We have case function for that.

...| eval _time=case(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP, "$Log_or_live$"=="Log",$mlc_log_start_time$ + relative_time,1=1,_time)

Re: Nested eval command in search

kamlesh_vaghela — Wed, 08 Nov 2017 16:02:41 GMT

Hi
Can you please try this one??

| eval Log_or_live="$Log_or_live$",mlc_log_start_time=tonumber("$mlc_log_start_time$") , _time=case(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP,Log_or_live=="Log",mlc_log_start_time + relative_time,1=1,_time)

I have kept token value in the field and used in case.

Thanks

Re: Nested eval command in search

AKG1_old1 — Tue, 29 Sep 2020 16:39:28 GMT

Thank you. its working fine with one exception. if value of $Log_or_live$ or $mlc_log_start_time$ is not set query is waiting for input. even if case(isnotnull(GC_TIMESTAMP is true.

Is it possible to execute query if some token is not set in search query ?

Re: Nested eval command in search

somesoni2 — Thu, 09 Nov 2017 03:02:19 GMT

Nopes. If a token is used in the search, it should be set in order to run the search. How are you populating those tokens? May be you can set some default values for them?

Re: Nested eval command in search

kamlesh_vaghela — Thu, 09 Nov 2017 08:29:13 GMT

I have created Sample dashboard for you which will resolve "Waiting For input" issue.

Here I have used sample data and searches. Here, I don't much information about your dashboard So I use Dropdown for Log_or_live token and text box for mlc_log_start_time token.

XML

<form script="my.js">
  <label>Dashboard Dynamic Token</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_Log_or_live" id="tkn_Log_or_live_id">
      <label>Log_or_live</label>
      <choice value="Log">Log</choice>
      <choice value="Live">Live</choice>
    </input>
    <input type="text" token="tkn_mlc_log_start_time" id="tkn_mlc_log_start_time_id">
      <label>mlc_log_start_time</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>
          $Log_or_live$
        </title>
        <search>
          <query>| makeresults  | eval Log_or_live="$Log_or_live$",mlc_log_start_time=tonumber("$mlc_log_start_time$") , _time=case(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP,Log_or_live=="Log",mlc_log_start_time + relative_time,1=1,_time)</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

my.js

require([
     'underscore',
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/tableview',
     'splunkjs/mvc/simplexml/ready!'
 ], function(_, $, mvc, TableView) {
     // Access the "default" token model
     var defaultTokenModel = mvc.Components.get('default');
     var submittedTokens = mvc.Components.get('submitted');


    var tkn_Log_or_live_id = mvc.Components.get('tkn_Log_or_live_id');
    var tkn_mlc_log_start_time_id = mvc.Components.get('tkn_mlc_log_start_time_id');

    tkn_Log_or_live_id.on('change', function(value) 
    {
      console.log("tkn_Log_or_live_id",value)
      if(value!=undefined && value!="")
      {
        defaultTokenModel.set("Log_or_live", value);
      }
      else {
        defaultTokenModel.set("Log_or_live", "NoValue");
      }
      submittedTokens.set(defaultTokenModel.toJSON());
    });

    tkn_mlc_log_start_time_id.on('change', function(value)  {
      console.log("tkn_mlc_log_start_time_id",value)
      if(value!=undefined && value!="")
      {
        defaultTokenModel.set("mlc_log_start_time", value);
      }
      else {
        defaultTokenModel.set("mlc_log_start_time", 0);
      }
      submittedTokens.set(defaultTokenModel.toJSON());

    });

    defaultTokenModel.set("Log_or_live", "NoValue");
    defaultTokenModel.set("mlc_log_start_time", 0);
    submittedTokens.set(defaultTokenModel.toJSON());


 });

Re: Nested eval command in search

AKG1_old1 — Tue, 29 Sep 2020 16:39:52 GMT

I tried that but setting default value for $mlc_log_start_time$ will drive my dashboard twice in case when its value is needed. my dashboard depends on value of this token.

Say I set its value 0 by default. then it generate my dashboard and when its actual value is set it redrive dashboard again.

PS: It take time to set the value of $mlc_log_start_time$ as its drived from another query which is not very fast.

Re: Nested eval command in search

AKG1_old1 — Thu, 09 Nov 2017 09:42:10 GMT

sorry, I missed your answer earlier. Thanks for help. I am not willing to use java script on my dashboard as its already too complex and we use to make changes very frequently so its difficult to maintain. Anyway, Thank you so much for your suggestions.

Re: Nested eval command in search

niketn — Thu, 09 Nov 2017 09:48:39 GMT

@agoyal, you use depends attribute with the two tokens for the panel where the tokens are supposed to be used. That way the panel will not display until value is set. On top of depends you can also use rejects attribute to show some HTML content when the token is not set.

You can check out the Null Search Swapper example in Splunk Dashboard Examples app for depends and rejects to work. Following is an example:

<panel depends="$Log_or_live$,$mlc_log_start_time$">
   ....

Re: Nested eval command in search

ryhluc01 — Fri, 01 Mar 2019 19:39:50 GMT

Please select an answer to your question.