Archive

pass case statement result to search string

Communicator

I have tokens coming from drilldown
index="test" | eval restime = case( "PRIORITY CODE" == "1" ,"Resolution Time <=120",1=1,"Resolution Time <2880")| table restime

Here res_time here generates value. But i want to pass this to search and retrieve the table. if i pass this to search its not working. May be due to quotes issue. Not sure.. Please help

Thanks,
Harini

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

If you are wanting to "pass this to the search", then you have to pass values that will actually tell the search what events to search for.

In this case, you need to pass "PRIORITY CODE" = "1" or pass "PRIORITY CODE" != "1".

0 Karma

Esteemed Legend

Your references to the field names with spaces is wrong which is why I try to avoid field names with spaces until the end and then rename them with | rename Field_with_spaces AS "Field with spaces".

In any case, try this:

index="test" | eval res_time = case( 'PRIORITY CODE' == 1, 'Resolution Time' <= 120, true(), 'Resolution Time' < 2880) | table res_time

OR:

index="test" | eval res_time = case( $PRIORITY CODE$ == 1, $Resolution Time$ <= 120, true(), $Resolution Time$ < 2880) | table res_time

But that will need adjustment if saved into a dashboard panel.

0 Karma

Communicator

Thanks woodcock. I will try this. Actually I get result with resolution time>120, resolution time<240..etc. But when I pass to search I have to pass only resolution time in quotes for it to work.. That I could not achieve. Will try this.

0 Karma

Communicator

It is there. But I cannot call straight forward field. I need to invoke in this way. Is it possible

0 Karma

SplunkTrust
SplunkTrust

[Updated Answer] Since your search filter is being set on clicking of a cell in a table, one of the ways to set required search query filter would be to perform eval at the table drilldown event itself.

    <drilldown>
      <eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
    </drilldown>

This should set the token res_time to either "Resolution Time<120" or "Resolution Time>2880" depending on your PRIORITY CODE value is 1 or not.


Your current query seems to be incorrect anyways. If you want to perform search on the result/s of your main search you can use the map command. Following is a run anywhere search

| makeresults
| eval testValue=0
| eval searchQuery=case(testValue=="0","INFO",testValue=="1","WARN",testValue=="2","ERROR",1==1,"*")
| table searchQuery
| map search="search index=_internal sourcetype=splunkd log_level=\"$searchQuery$\"| head 1| eval myFilter="\$searchQuery$\"| table _time myFilter _raw"

You can also refer to my recent answer on the same line... https://answers.splunk.com/answers/515546/how-to-create-dynamic-commands-in-search.html#answer-51790...

Splunk Documentation on map command for your reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

Thanks. Will try. My current query pulls Resolution Time comparison. But If I pass in search I get no results found

0 Karma

SplunkTrust
SplunkTrust

What is the search where you want to use the res_time field?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

I have to search the events and pull only those records that fall into resolution comparison criteria. That criteria will come from another table cell drill down. It's kind of sla calculation based on this time in each cell..

0 Karma

SplunkTrust
SplunkTrust

@k_harini... I have updated my answer with one of the approaches to use eval to set token during table drilldown. You can get your search filter query through case statement in eval.

<eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@k_harini, please try out and confirm whether you were able to proceed or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

Do you have this field "Resolution Time"? If you want to calculate it, "Resolution Time" <=120 and "Resolution Time" <2880

0 Karma