Archive

help on token strange behaviour

Contributor

hi

I use the search below and I filter the data with 2 token

| inputlookup tablet_host.csv 
| lookup PanaBatteryStatus.csv "Hostname00" as host OUTPUT BatteryTemp00 BatteryModel00 CycleCount00 HealthState00 LastRecalibration00 ManufactureDate00 DesignCapacity00 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host 
| search CycleCount=$tok_cycle$ 
| search HealthState=$tok_health$ 
| sort +host

I have an issue with | search HealthState=$tok_health$
By default, the filter value is : <85
The filter works but in the result I also have events where healthstate = 100,00 or more!
conversely, when I m doing >85 I have no events where value is 100,00 or more!
what is the problem please??

Tags (1)
0 Karma
1 Solution

Ultra Champion

Looks like your healthstate field is interpreted as a string. Try inserting an | eval HealthState=tonumber(HealthState) between the stats and the search commands.

View solution in original post

0 Karma

Ultra Champion

Looks like your healthstate field is interpreted as a string. Try inserting an | eval HealthState=tonumber(HealthState) between the stats and the search commands.

View solution in original post

0 Karma

Contributor

I Have no results when i add the code :

stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host
| eval HealthState=tonumber(HealthState)
| search CycleCount$tok_cycle$
| search HealthState$tok_health$
| sort +host

0 Karma

Ultra Champion

Ah, my bad, the issue is with the comma instead of . as decimal separator. Try it like this:

| eval HealthState=tonumber(replace(HealthState,",","."))
0 Karma

Contributor

i cant accept your answer I dont know why??

0 Karma

Ultra Champion

I converted the relevant comment to an answer, you should be able to accept that now 🙂

0 Karma

Contributor

perfect!! thanks

0 Karma

Dear @jip31,

Are you trying to pass value as mentioned below.

    | search CycleCount=<85
    | search HealthState=<85    
    OR     
    | search CycleCount=>85
    | search HealthState=>85

Can you try something like this

| search CycleCount<=85
| search HealthState<=85
OR
| search CycleCount>=85
| search HealthState>=85

Thanks,
Shankarananth

0 Karma

Contributor

Sorry I have spoken too fast
no encoded issue but I have an error ith OR : operator is missing a clause on the right hand side
but if I only do :
| search CycleCount<=85
| search HealthState<=85
I have always events > 85!

0 Karma

Dear @jip31,

It's ok no problem..
Is below code are the one you're expecting to achieve..
Kindly provide the screen-shot of error, your getting while adding the below code to your query.

 | search CycleCount<=85
 | search HealthState<=85

In What manner you're going to pass the token value eg 85 or >85 or <85 or !85.

Thanks..

0 Karma

Contributor

Ihave no error with this code shankarananth but I have the same problem : even if I m doing > 85 I have events =100 or more...

0 Karma

@ jip3,

Is above mentioned code latest one ..
can you display the complete code one more time ..

Thanks..

0 Karma

Contributor

Here is the xml

<form>
  <label>Hardware Monitoring - Battery details</label>
  <fieldset submitButton="true">
    <input type="text" token="tok_cycle" searchWhenChanged="true">
      <label>CycleCount</label>
      <default>&gt; 200</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_health" searchWhenChanged="true">
      <label>HealthState</label>
      <default>&lt; 85</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup tablet_host.csv 
| lookup PanaBatteryStatus.csv "Hostname00" as host OUTPUT BatteryTemp00 BatteryModel00 CycleCount00 HealthState00 LastRecalibration00 ManufactureDate00 DesignCapacity00 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host 
| search CycleCount$tok_cycle$ 
| search HealthState$tok_health$ 


| sort +host</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

Ultra Champion

Can you share a screenshot as well?

0 Karma

Contributor
0 Karma

Contributor

hi
when I do this I have an "encoded" issue with > or <

0 Karma

Path Finder

Hi,

I think you should take below point into consideration about command. Might be this could help you in some extent.

Specify the number of results to return from the sorted results. If no count is specified, the default limit of 10000 is used. If 0 is specified, all results are returned.

Thanks

0 Karma

Builder

try wrapping your token in tonumber function like

| eval health = tonumber($tok_health|s$) 
0 Karma

Contributor

hi
I have an issue : Error in 'eval' command: The arguments to the 'tonumber' function are invalid.

0 Karma

Ultra Champion

Yeah, that of course doesn't work when you include the < operator in the token value.

0 Karma