Splunk Search

pass case statement result to search string

k_harini
Communicator

I have tokens coming from drilldown
index="test" | eval res_time = case( "PRIORITY CODE" == "1" ,"Resolution Time <=120",1=1,"Resolution Time <2880")| table res_time

Here res_time here generates value. But i want to pass this to search and retrieve the table. if i pass this to search its not working. May be due to quotes issue. Not sure.. Please help

Thanks,
Harini

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you are wanting to "pass this to the search", then you have to pass values that will actually tell the search what events to search for.

In this case, you need to pass "PRIORITY CODE" = "1" or pass "PRIORITY CODE" != "1".

0 Karma

woodcock
Esteemed Legend

Your references to the field names with spaces is wrong which is why I try to avoid field names with spaces until the end and then rename them with | rename Field_with_spaces AS "Field with spaces".

In any case, try this:

index="test" | eval res_time = case( 'PRIORITY CODE' == 1, 'Resolution Time' <= 120, true(), 'Resolution Time' < 2880) | table res_time

OR:

index="test" | eval res_time = case( $PRIORITY CODE$ == 1, $Resolution Time$ <= 120, true(), $Resolution Time$ < 2880) | table res_time

But that will need adjustment if saved into a dashboard panel.

0 Karma

k_harini
Communicator

Thanks woodcock. I will try this. Actually I get result with resolution time>120, resolution time<240..etc. But when I pass to search I have to pass only resolution time in quotes for it to work.. That I could not achieve. Will try this.

0 Karma

k_harini
Communicator

It is there. But I cannot call straight forward field. I need to invoke in this way. Is it possible

0 Karma

niketn
Legend

[Updated Answer] Since your search filter is being set on clicking of a cell in a table, one of the ways to set required search query filter would be to perform eval at the table drilldown event itself.

    <drilldown>
      <eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
    </drilldown>

This should set the token res_time to either "Resolution Time<120" or "Resolution Time>2880" depending on your PRIORITY CODE value is 1 or not.


Your current query seems to be incorrect anyways. If you want to perform search on the result/s of your main search you can use the map command. Following is a run anywhere search

| makeresults
| eval testValue=0
| eval searchQuery=case(testValue=="0","INFO",testValue=="1","WARN",testValue=="2","ERROR",1==1,"*")
| table searchQuery
| map search="search index=_internal sourcetype=splunkd log_level=\"$searchQuery$\"| head 1| eval myFilter="\$searchQuery$\"| table _time myFilter _raw"

You can also refer to my recent answer on the same line... https://answers.splunk.com/answers/515546/how-to-create-dynamic-commands-in-search.html#answer-51790...

Splunk Documentation on map command for your reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

k_harini
Communicator

Thanks. Will try. My current query pulls Resolution Time comparison. But If I pass in search I get no results found

0 Karma

niketn
Legend

What is the search where you want to use the res_time field?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

k_harini
Communicator

I have to search the events and pull only those records that fall into resolution comparison criteria. That criteria will come from another table cell drill down. It's kind of sla calculation based on this time in each cell..

0 Karma

niketn
Legend

@k_harini... I have updated my answer with one of the approaches to use eval to set token during table drilldown. You can get your search filter query through case statement in eval.

<eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@k_harini, please try out and confirm whether you were able to proceed or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gfreitas
Builder

Do you have this field "Resolution Time"? If you want to calculate it, "Resolution Time" <=120 and "Resolution Time" <2880

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...