topic Re: pass case statement result to search string in Splunk Search

pass case statement result to search string

k_harini — Tue, 29 Sep 2020 13:31:49 GMT

I have tokens coming from drilldown
index="test" | eval res_time = case( "PRIORITY CODE" == "1" ,"Resolution Time <=120",1=1,"Resolution Time <2880")| table res_time

Here res_time here generates value. But i want to pass this to search and retrieve the table. if i pass this to search its not working. May be due to quotes issue. Not sure.. Please help

Thanks,
Harini

Re: pass case statement result to search string

gfreitas — Tue, 04 Apr 2017 08:38:01 GMT

Do you have this field "Resolution Time"? If you want to calculate it, "Resolution Time" <=120 and "Resolution Time" <2880

Re: pass case statement result to search string

niketn — Tue, 04 Apr 2017 08:47:47 GMT

[Updated Answer] Since your search filter is being set on clicking of a cell in a table, one of the ways to set required search query filter would be to perform eval at the table drilldown event itself.

    <drilldown>
      <eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
    </drilldown>

This should set the token res_time to either "Resolution Time<120" or "Resolution Time>2880" depending on your PRIORITY CODE value is 1 or not.

Your current query seems to be incorrect anyways. If you want to perform search on the result/s of your main search you can use the map command. Following is a run anywhere search

| makeresults
| eval testValue=0
| eval searchQuery=case(testValue=="0","INFO",testValue=="1","WARN",testValue=="2","ERROR",1==1,"*")
| table searchQuery
| map search="search index=_internal sourcetype=splunkd log_level=\"$searchQuery$\"| head 1| eval myFilter="\$searchQuery$\"| table _time myFilter _raw"

You can also refer to my recent answer on the same line... https://answers.splunk.com/answers/515546/how-to-create-dynamic-commands-in-search.html#answer-517907

Splunk Documentation on map command for your reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Re: pass case statement result to search string

k_harini — Tue, 04 Apr 2017 08:49:00 GMT

It is there. But I cannot call straight forward field. I need to invoke in this way. Is it possible

Re: pass case statement result to search string

k_harini — Tue, 04 Apr 2017 08:57:21 GMT

Thanks. Will try. My current query pulls Resolution Time comparison. But If I pass in search I get no results found

Re: pass case statement result to search string

woodcock — Tue, 04 Apr 2017 20:30:44 GMT

Your references to the field names with spaces is wrong which is why I try to avoid field names with spaces until the end and then rename them with | rename Field_with_spaces AS "Field with spaces".

In any case, try this:

index="test" | eval res_time = case( 'PRIORITY CODE' == 1, 'Resolution Time' <= 120, true(), 'Resolution Time' < 2880) | table res_time

OR:

index="test" | eval res_time = case( $PRIORITY CODE$ == 1, $Resolution Time$ <= 120, true(), $Resolution Time$ < 2880) | table res_time

But that will need adjustment if saved into a dashboard panel.

Re: pass case statement result to search string

niketn — Tue, 04 Apr 2017 20:43:45 GMT

What is the search where you want to use the res_time field?

Re: pass case statement result to search string

DalJeanis — Tue, 04 Apr 2017 21:39:23 GMT

If you are wanting to "pass this to the search", then you have to pass values that will actually tell the search what events to search for.

In this case, you need to pass "PRIORITY CODE" = "1" or pass "PRIORITY CODE" != "1".

Re: pass case statement result to search string

k_harini — Wed, 05 Apr 2017 16:48:20 GMT

Thanks woodcock. I will try this. Actually I get result with resolution time>120, resolution time<240..etc. But when I pass to search I have to pass only resolution time in quotes for it to work.. That I could not achieve. Will try this.

Re: pass case statement result to search string

k_harini — Wed, 05 Apr 2017 16:50:09 GMT

I have to search the events and pull only those records that fall into resolution comparison criteria. That criteria will come from another table cell drill down. It's kind of sla calculation based on this time in each cell..

Re: pass case statement result to search string

niketn — Fri, 07 Apr 2017 04:29:55 GMT

@k_harini... I have updated my answer with one of the approaches to use eval to set token during table drilldown. You can get your search filter query through case statement in eval.

<eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>

Re: pass case statement result to search string

niketn — Sat, 08 Apr 2017 10:28:16 GMT

@k_harini, please try out and confirm whether you were able to proceed or not.