topic Re: Eval If statement with searches as arguments in Splunk Search

Eval If statement with searches as arguments

nisha_kapoor — Thu, 06 Jul 2017 02:27:55 GMT

I am using the eval as follows:

eval result= if(var1=="All", [search1], [search2])

where search1 and search2 both return tables. According the whether the if condition is satisfied or not I display either one of the tables. The error which I am getting when I execute the above query is:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ').

Re: Eval If statement with searches as arguments

niketn — Thu, 06 Jul 2017 13:32:40 GMT

@nisha_kapoor, how is var1=="All" or var1!="All" set. Is this coming from an input or existing search. Please provide a background of your use case, as there could be multiple solutions to this problem.

Re: Eval If statement with searches as arguments

DalJeanis — Thu, 06 Jul 2017 13:38:34 GMT

An eval doesn't work that way. result is a variable, and table variables don't exist in splunk, as far as I know.

You can achieve the same thing, though, with map.

| eval result= if(var1=="All", "search language for search1", "search language for search2")
| map search="$result$"

Re: Eval If statement with searches as arguments

woodcock — Thu, 06 Jul 2017 15:52:49 GMT

Like this:

 [ Some Search Here | head 1 | eval search=if(var1=="All", "search language for search1", "search language for search2") | table search ]

Re: Eval If statement with searches as arguments

DalJeanis — Thu, 06 Jul 2017 18:34:35 GMT

@woodcock - Cool! Context, please? Like, exactly what has to be in place for this elegant little strategy to work?

This is going to return a variable named search with a value like search language for search1, so it seems like it will work when it is the entire search. Any other places it will work?

Re: Eval If statement with searches as arguments

nisha_kapoor — Thu, 06 Jul 2017 21:09:27 GMT

var1 is coming from a form input (dropdown). If that value is equal to "All" a run a certain search on my index and display the table else I run a different search and display that table. The issue I am facing is that I think only numbers/strings and not tables can be returned as arguments to an eval statement.

Re: Eval If statement with searches as arguments

woodcock — Thu, 06 Jul 2017 21:39:13 GMT

This is just the subsearch side of your map coin. Almost anything that you can do with map, templating wise, you can also do with a subsearch by turning the design "inside-out".

Re: Eval If statement with searches as arguments

nisha_kapoor — Thu, 06 Jul 2017 21:46:06 GMT

This is what I tried originally, but it gives me this error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , ( ( row1 of search) OR (row2 of search) OR (row 3 of search) ) ) )'.

Re: Eval If statement with searches as arguments

nisha_kapoor — Thu, 06 Jul 2017 22:00:24 GMT

I tried this and now this is the error I am getting

Error in 'eval' command: The expression is malformed. Expected ).

Re: Eval If statement with searches as arguments

woodcock — Thu, 06 Jul 2017 22:03:50 GMT

If your search strings include double-quote characters ", you will have to escape each one with a backslash .

Re: Eval If statement with searches as arguments

nisha_kapoor — Thu, 06 Jul 2017 22:18:35 GMT

Oh okay, I did that too and the error has disappeared, but now instead of the data, the search string is repeated over and over again in the result table.

This is the query with the modifications:

index="test_data"| eval search= if(var1!= "All" , "search index=\"test_data\" extracted_Source=\"*\" Target=\"*\" 
Status=\"*\" Name=\"*\" col1=\"*\"  | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time" ,
"search index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" 
| table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time")| table search

Re: Eval If statement with searches as arguments

niketn — Fri, 07 Jul 2017 06:31:01 GMT

@nisha_kapoor, you can code the change event of the dropdown and pass on the Search query as token (queryString in the following example) based on selected value in the dropdown.

Following is a run anywhere example:

<row>
   <panel>
      <input type="dropdown" token="var1" searchWhenChanged="true">
          <label>Select Value</label>
          <choice value="All">All</choice>
          <choice value="Other">Other</choice>
             <change>
                <condition value="All">
                    <set token="queryString">index=_internal sourcetype=splunkd log_level!="INFO" | stats count by log_level</set>
                </condition>
                <condition>
                    <set token="queryString">| makeresults | eval msg="$value$ value selected"</set>
                </condition>
             </change>
             <default>All</default>
          </input>
          <table>
               <search>
                   <query>$queryString$</query>
                   <earliest>-24h@h</earliest>
                   <latest>now</latest>
               </search>
                <option name="count">5</option>
                <option name="wrap">true</option>
                <option name="drilldown">none</option>
                <option name="dataOverlayMode">none</option>
          </table>
   </panel>
</row>

Re: Eval If statement with searches as arguments

woodcock — Fri, 07 Jul 2017 20:28:11 GMT

Try this:

[ index="test_data" 
| head 1
| eval search=if((var1!= "All"), "index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" col1=\"*\" | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time" , "index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time") | table search ]

Re: Eval If statement with searches as arguments

nisha_kapoor — Tue, 29 Sep 2020 14:46:49 GMT

This doesn't seem to be working. I want that if I put a value instead of *, the results should be filtered based on that criteria. However, the above command simply seems to be getting me all the results stored in "test_data" and returning the top one.

This is another way I tried,

index="test_data" extracted_Source="$field4$" Target="$field5$"
Status="$field7$" Name="$field8$" ($field1$ != "All" AND $field1$="$field2$") OR ($field1$==All AND TransactionID ="*") | table TransactionID Name extracted_Source Target Status Details CreatedAt

The first part of this works fine as in the filter criteria (field1=field2) gets appended to the initial search when $field1$!= All. However, the second condition($field1$==All) is never satisfied.

Can someone help me on how to compare the value of a field to a string and return true?

Re: Eval If statement with searches as arguments

nisha_kapoor — Fri, 07 Jul 2017 21:19:22 GMT

This seems to work perfectly, thank you!

Re: Eval If statement with searches as arguments

nisha_kapoor — Fri, 07 Jul 2017 21:42:41 GMT

This seems to achieve what I was looking for, but there is one glitch. When I select a new option, the results don't load until I manually refresh my browser. Is there some way around this, since I don't want my users to have to refresh the browser each time they select a different option.

Re: Eval If statement with searches as arguments

niketn — Sat, 08 Jul 2017 00:38:28 GMT

Can you ensure that searchWhenChanged is set to true for the drop down?

   <input type="dropdown" token="var1" searchWhenChanged="true">

Re: Eval If statement with searches as arguments

nisha_kapoor — Sat, 08 Jul 2017 01:36:40 GMT

Yeah my searchWhenChanged option is set to true, however the queryString doesn't get updated. It uses the previously stored value when it is passed to the search panel.

Re: Eval If statement with searches as arguments

niketn — Sat, 08 Jul 2017 05:27:16 GMT

Which version of Splunk are you on. Is Autorun dashboard enabled?

Re: Eval If statement with searches as arguments

nisha_kapoor — Sat, 08 Jul 2017 20:07:14 GMT

Hi I am on Splunk Enterprise and my Autorun dashboard is on. The search refreshes when a new option is selected from the dropdown, the only problem is that querystring retains the previous dropdown value.

So suppose I open my search and the default value of the dropdown is "a". I select value as "b" and click submit(autorun and search on change are also on), the querystring still searches with "a" instead of "b" until I refresh the browser or change my selection again.