topic Re: Simple math and string concatenation in Splunk Search

Simple math and string concatenation

andreafebbo — Wed, 31 Aug 2016 14:57:43 GMT

Hi
I have this dashboard:

<form>
  <label>Prova_selettore_dinamico Clona v1</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="period" searchWhenChanged="true">
      <label>Intervallo</label>
      <choice value="1">Last day</choice>
      <choice value="7">Last 7 days</choice>
      <choice value="30">Last 30 days</choice>
      <choice value="365">Last 12 months</choice>
      <default>30</default>
      <initialValue>-30d</initialValue>
      <prefix>-</prefix>
      <suffix>d</suffix>
    </input>
  </fieldset>
  CODE
          <earliest>$period$</earliest>
          <latest>now</latest>
   CODE

The token $period$ is set, for instance, at -30d (and I use this token i the query so i need it like this).

Now what I also need is the $period$ to double the period, for example: -60d

This implies that i have to extract the 30 from the string "-30d", double it and put it back between the "-" and the "d".

Another solution i thought is to set 2 values for every choice of the imput, like:

 <choice value="30" value2="60">Last 30 days</choice>

But this seems to be not possible.

Please help me.

I tried to integrate your code with my and this came our:

<form>
  <label>Prova_selettore_dinamico Clona v4</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="t" searchWhenChanged="true">
      <label>Timerange</label>
      <search>
        <query>| makeresults
               | eval x="Last day    |-1d@d  |-2d@d;
                         Last 7 days |-7d@d  |-14d@d;
                         Last 30 days|-30d@d |-60d@d"
               | makemv x delim=";"
               | mvexpand x
               | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)"
               | table label value doublevalue</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <change>
        <set token="double">$row.doublevalue$</set>
        <set token="nor">$row.value$</set>
      </change>
      <default>dfsdfhsdgh</default>
      <initialValue>-1d@d</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>BASE QUERY   
| eval when=if(_time &gt; relative_time(now(), "$nor$"), "Current_Week", "Prev_Week")  
| stats count as events by  source when  
| chart sum(events) by source, when  
| eval perc = (Current_Week-Prev_Week)/Prev_Week 
| eval trend = case(perc < -0.3, "basso", (perc >= -0.3 and perc <= 0.3 ), "medio", perc > 0.3, "alto") 
| table source, Current_Week, Prev_Week, perc, trend</query>
          <earliest>$double$</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Everything seems to work except one thing.
In the second row of the second query is written:

| eval when=if(_time &gt; relative_time(now(), "$nor$"), "Current_Week", "Prev_Week")

and for some reason it put everything in Prev_Week.
instead if I write this line like this:

| eval when=if(_time > relative_time(now(), "-7d"), "Current_Week", "Prev_Week")

then everything works, but of course is not dynamic.

Can you help me understand why?

Thank you

Re: Simple math and string concatenation

sundareshr — Wed, 31 Aug 2016 15:13:39 GMT

What you will need to do is create a dynamic query that generates a table with 3 columns, label, value and value2. Bind the results to the dropdown, and set a token on change event to pick the "double" value. Here is a "run anywhere" sample that will give you an idea on how this can be done.

<form>
  <label>Test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="t">
      <label>Timerange</label>
      <search>
        <query>| makeresults | eval x="Last day|-1d@d|-2d@d;Last 7 days|-7d@d|-14d@d;Last 30 days|-30d@d|-60d@d" | makemv x delim=";" | mvexpand x | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)" | table label value doublevalue</query>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <change>
        <set token="double">$row.doublevalue$</set>
      </change>  
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal earliest=$double$ | stats earliest(_time) as first latest(_time) as last | eval first=strftime(first, "%x %X") | eval last=strftime(last, "%x %X") | eval double="$double$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>

Re: Simple math and string concatenation

andreafebbo — Wed, 31 Aug 2016 15:55:49 GMT

Can you answer also to this question?

https://answers.splunk.com/answers/446961/calculate-time-and-doubling-it-from-the-user-selec.html

Thank you

Re: Simple math and string concatenation

sundareshr — Thu, 01 Sep 2016 14:12:49 GMT

Please do not update the original question. Add your feedback/comments in the comments section. Its become very difficult to track.

Now, re: your issue. You dont need the "nor" token. You should use $t$ for it. So, your query should look like this

| eval when=if(_time > relative_time(now(), "$t$"), "Current_Week", "Prev_Week")

Re: Simple math and string concatenation

andreafebbo — Thu, 01 Sep 2016 14:23:53 GMT

I did it and it works in the same way, still putting everything in the prev_week. 😞

Re: Simple math and string concatenation

sundareshr — Thu, 01 Sep 2016 15:05:26 GMT

Add this just below the <panel> tag.

<title>value=$t$; doublevalue=$double$</title>.

Do the values look right when you run it?

Re: Simple math and string concatenation

andreafebbo — Thu, 01 Sep 2016 15:17:05 GMT

yes, the numbers look right:
value=-7d@d ; doublevalue=-14d@d
but all the data keep going into the prev_week.

And still if i change from "$t$" to "-14d", which should be the exact same value, then it works.

😞

Re: Simple math and string concatenation

sundareshr — Thu, 01 Sep 2016 16:25:24 GMT

remove the quotes around $t$ .

Re: Simple math and string concatenation

andreafebbo — Thu, 01 Sep 2016 18:07:17 GMT

if I remove the quotes around $t$ it gives me the following error:

Error in 'eval' command: The expression is malformed. Expected ).

I think it is because that $t$ is inside the query.

Re: Simple math and string concatenation

sundareshr — Thu, 01 Sep 2016 19:24:54 GMT

In the bottom left corner of the panel, there is a magnifying glass. Click on that, see what you get in the search

Re: Simple math and string concatenation

andreafebbo — Fri, 02 Sep 2016 07:58:12 GMT

i get this:

eval when=if(_time > relative_time( now(), "-7d@d  " )

the problem is the space after the d.

so i changed form this

Last 7 days |-7d@d  |-14d@d;

to this

Last 7 days |-7d@d|-14d@d;

and now seems to work

Thank you a lot 🙂

Re: Simple math and string concatenation

sundareshr — Fri, 02 Sep 2016 11:47:27 GMT

@andreafebbo Can I close out the other question as a duplicate of this one?

Re: Simple math and string concatenation

andreafebbo — Fri, 02 Sep 2016 14:21:56 GMT

I needed for the same dashboard but the other does something broader so it would be nice to find a solution, but just for academical ends 😛