Splunk Search

help on token strange behaviour

jip31
Motivator

hi

I use the search below and I filter the data with 2 token

| inputlookup tablet_host.csv 
| lookup PanaBatteryStatus.csv "Hostname00" as host OUTPUT BatteryTemp00 BatteryModel00 CycleCount00 HealthState00 LastRecalibration00 ManufactureDate00 DesignCapacity00 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host 
| search CycleCount=$tok_cycle$ 
| search HealthState=$tok_health$ 
| sort +host

I have an issue with | search HealthState=$tok_health$
By default, the filter value is : <85
The filter works but in the result I also have events where healthstate = 100,00 or more!
conversely, when I m doing >85 I have no events where value is 100,00 or more!
what is the problem please??

Tags (1)
0 Karma
1 Solution

FrankVl
Ultra Champion

Looks like your healthstate field is interpreted as a string. Try inserting an | eval HealthState=tonumber(HealthState) between the stats and the search commands.

View solution in original post

0 Karma

FrankVl
Ultra Champion

Looks like your healthstate field is interpreted as a string. Try inserting an | eval HealthState=tonumber(HealthState) between the stats and the search commands.

0 Karma

jip31
Motivator

I Have no results when i add the code :

stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host
| eval HealthState=tonumber(HealthState)
| search CycleCount$tok_cycle$
| search HealthState$tok_health$
| sort +host

0 Karma

FrankVl
Ultra Champion

Ah, my bad, the issue is with the comma instead of . as decimal separator. Try it like this:

| eval HealthState=tonumber(replace(HealthState,",","."))
0 Karma

jip31
Motivator

i cant accept your answer I dont know why??

0 Karma

FrankVl
Ultra Champion

I converted the relevant comment to an answer, you should be able to accept that now 🙂

0 Karma

jip31
Motivator

perfect!! thanks

0 Karma

Shan
Builder

Dear @jip31,

Are you trying to pass value as mentioned below.

    | search CycleCount=<85
    | search HealthState=<85    
    OR     
    | search CycleCount=>85
    | search HealthState=>85

Can you try something like this

| search CycleCount<=85
| search HealthState<=85
OR
| search CycleCount>=85
| search HealthState>=85

Thanks,
Shankarananth

0 Karma

jip31
Motivator

Sorry I have spoken too fast
no encoded issue but I have an error ith OR : operator is missing a clause on the right hand side
but if I only do :
| search CycleCount<=85
| search HealthState<=85
I have always events > 85!

0 Karma

Shan
Builder

Dear @jip31,

It's ok no problem..
Is below code are the one you're expecting to achieve..
Kindly provide the screen-shot of error, your getting while adding the below code to your query.

 | search CycleCount<=85
 | search HealthState<=85

In What manner you're going to pass the token value eg 85 or >85 or <85 or !85.

Thanks..

0 Karma

jip31
Motivator

Ihave no error with this code shankarananth but I have the same problem : even if I m doing > 85 I have events =100 or more...

0 Karma

Shan
Builder

@ jip3,

Is above mentioned code latest one ..
can you display the complete code one more time ..

Thanks..

0 Karma

jip31
Motivator

Here is the xml

<form>
  <label>Hardware Monitoring - Battery details</label>
  <fieldset submitButton="true">
    <input type="text" token="tok_cycle" searchWhenChanged="true">
      <label>CycleCount</label>
      <default>&gt; 200</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_health" searchWhenChanged="true">
      <label>HealthState</label>
      <default>&lt; 85</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup tablet_host.csv 
| lookup PanaBatteryStatus.csv "Hostname00" as host OUTPUT BatteryTemp00 BatteryModel00 CycleCount00 HealthState00 LastRecalibration00 ManufactureDate00 DesignCapacity00 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| stats values(SITE) as SITE values(BatteryModel00) as BatteryModel values(CycleCount00) as CycleCount values(HealthState00) as HealthState values(LastRecalibration00) as LastRecalibration values(ManufactureDate00) as ManufactureDate values(DesignCapacity00) as DesignCapacity by host 
| search CycleCount$tok_cycle$ 
| search HealthState$tok_health$ 


| sort +host</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

FrankVl
Ultra Champion

Can you share a screenshot as well?

0 Karma

jip31
Motivator
0 Karma

jip31
Motivator

hi
when I do this I have an "encoded" issue with > or <

0 Karma

vikas_baranwal
Path Finder

Hi,

I think you should take below point into consideration about command. Might be this could help you in some extent.

Specify the number of results to return from the sorted results. If no count is specified, the default limit of 10000 is used. If 0 is specified, all results are returned.

Thanks

0 Karma

nabeel652
Builder

try wrapping your token in tonumber function like

| eval health = tonumber($tok_health|s$) 
0 Karma

jip31
Motivator

hi
I have an issue : Error in 'eval' command: The arguments to the 'tonumber' function are invalid.

0 Karma

FrankVl
Ultra Champion

Yeah, that of course doesn't work when you include the < operator in the token value.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...