topic Re: How can I use pre evaluated param in my rex? in Splunk Search

How can I use pre evaluated param in my rex?

ortalis — Thu, 03 Dec 2020 17:33:28 GMT

I'm getting from my dashboard parameter with '_' value in it, I would like to start my search by evaluating a new parameter without the '_' and then use it in my search.
In Addition, I would like to inject this parameter into my regex and do another manipulation on my result.

This is my query:

I would like it to be searched like that:

I can't seem to figure it out, could somebody help me?

Thanks:)

Re: How can I use pre evaluated param in my rex?

bowesmana — Thu, 03 Dec 2020 21:59:30 GMT

@ortalis

Are you talking about a token in your dashboard that you are passing to a search. If so, why not remove the _ in the token before you pass it to the query. Then you can use the token as is, without having to change it in the query.

Your query examples don't seem to be valid queries though, so not totally clear on how you are getting your value. Can you provide more info.

Re: How can I use pre evaluated param in my rex?

ortalis — Sun, 06 Dec 2020 08:47:06 GMT

I have created a dashboard that I'm getting the value from the user.
I need to use this query also in a code I wrote so I need to find a way to replace these values so my query would work.
The query isn't valid right now since I don't know how to pre-evaluate the temp param before doing the search ("ERROR" "Exception in script execution" "at scripts.$temp$."), and then injecting the value to the rex command.
@bowesmana

Re: How can I use pre evaluated param in my rex?

bowesmana — Sun, 06 Dec 2020 23:03:58 GMT

Can you post the dashboard snippets of your inputs and searches, it's not clear to me what is needed

Re: How can I use pre evaluated param in my rex?

ormal — Thu, 10 Dec 2020 16:19:46 GMT

Here is our Query now:

index=myindex script=$script$ customer_name=* run_number=*
| table customer_name run_number
| join run_number
[search index=myindex
[search index=myindex "ERROR" "at scripts.$temp$."
[search index=myindex script=$script$ customer_name=$customer_name$ run_number=*
| head 1 | return run_number]
| rex "at\sscripts.$temp$.(?<stack_trace>[^\t\n\s]+)"
| head 1 | table stack_trace
| return $stack_trace]
|table run_number]

We dont want to get the "temp" value from the user.
We want to create it from the script name.
For example if the script name is: "or_m.pdf"
we want the remove the "_" and the suffix ".pdf" so it will be: "orm"

Re: How can I use pre evaluated param in my rex?

bowesmana — Fri, 11 Dec 2020 06:29:37 GMT

The important part here is your dashboard token handling, not the query. In order to generate a temp token from the script, this would be done in the drilldown logic of your dashboard, bnot the query. You cannot do this in the query itself. Please post the dashboard logic you are using to set the relevant tokens.

Also, I don't know what your data is like, but I would suggest finding a better way of doing your search. It is rarely necessary to use join - and the fact that you are using 3 subsearches is most likely a very bad idea and most likely not necessary.

Generally you only have to do a single search and use aggregation and evaluations to get the correct data filtered. Your 4 searches will all have to be done separately - and will each have to run independently, so is likely to be very slow in comparison to a more optimal search.