I'm trying to do this
You can do this using conditional eval command in the search language to
create one of N different search
language strings, and then a
ResultsValueSetter to pull down that
string-valued field, and plug it into
your search using another Search
module.
I've my main search, and a table
From that table I make a postprocess to build a $varSearch$ with the search String
My Problem is my postprocess seems not to work as desired :
eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")
This gives no results, so I'm not able to use it i the underlying search... ?
OK. This can work, you just have to see the search expression from splunk's perspective after the $foo$ token gets filled in.
eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")
will go up as
eval varSearch=case(test=="test","AA",H_message_type=="Ctest","ZZ")
This is testing for when the value of the test field is equal to the string test. Change it to
eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")
and what you'll be sending to splunk will look like:
eval varSearch=case("test"=="test","AA",H_message_type=="Ctest","ZZ")
Splunk may raise an eyebrow at your silly behaviour, but it will evaluate the condition to true at least. It's a strange trick but not an uncommon one when all you need is a little conditional help from the search language.
OK. This can work, you just have to see the search expression from splunk's perspective after the $foo$ token gets filled in.
eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")
will go up as
eval varSearch=case(test=="test","AA",H_message_type=="Ctest","ZZ")
This is testing for when the value of the test field is equal to the string test. Change it to
eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")
and what you'll be sending to splunk will look like:
eval varSearch=case("test"=="test","AA",H_message_type=="Ctest","ZZ")
Splunk may raise an eyebrow at your silly behaviour, but it will evaluate the condition to true at least. It's a strange trick but not an uncommon one when all you need is a little conditional help from the search language.
Now I understand the meaning of your workaround, many thanks !
Again, I acknowledge that this is both weird and kind of silly. I'm working on a simple module to provide this core switching use case, so there will be a better way soon.
eval is a command, so there has to be a "|" character in front of it. Can you clarify what you mean by "search eval.." It sounds like you're using the search command, which will simply search for these strings and thus return no results.
try this:
| stats count | fields - count | eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")
it looks bizarre because it is. | stats count
creates one row with a 'count' field equal to 0. the fields clause then removes the count field leaving a row and thus a blank slate for your eval...
thanks for that.
I have still the problem that a "search eval..." return no row, how can I change this ?
In fact, it is probably the same, as when I want to make an spath on a $foo$ variable, I don't know either how to do it !