I have tokens coming from drilldown
index="test" | eval restime = case( "PRIORITY CODE" == "1" ,"Resolution Time <=120",1=1,"Resolution Time <2880")| table restime
Here res_time here generates value. But i want to pass this to search and retrieve the table. if i pass this to search its not working. May be due to quotes issue. Not sure.. Please help
If you are wanting to "pass this to the search", then you have to pass values that will actually tell the search what events to search for.
In this case, you need to pass "PRIORITY CODE" = "1" or pass "PRIORITY CODE" != "1".
Your references to the field names with spaces is wrong which is why I try to avoid field names with spaces until the end and then rename them with
| rename Field_with_spaces AS "Field with spaces".
In any case, try this:
index="test" | eval res_time = case( 'PRIORITY CODE' == 1, 'Resolution Time' <= 120, true(), 'Resolution Time' < 2880) | table res_time
index="test" | eval res_time = case( $PRIORITY CODE$ == 1, $Resolution Time$ <= 120, true(), $Resolution Time$ < 2880) | table res_time
But that will need adjustment if saved into a dashboard panel.
Thanks woodcock. I will try this. Actually I get result with resolution time>120, resolution time<240..etc. But when I pass to search I have to pass only resolution time in quotes for it to work.. That I could not achieve. Will try this.
[Updated Answer] Since your search filter is being set on clicking of a cell in a table, one of the ways to set required search query filter would be to perform eval at the table drilldown event itself.
<drilldown> <eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time<=120",true(),"Resolution Time>2880")</eval> </drilldown>
This should set the token res_time to either
"Resolution Time<120" or
"Resolution Time>2880" depending on your PRIORITY CODE value is 1 or not.
Your current query seems to be incorrect anyways. If you want to perform search on the result/s of your main search you can use the map command. Following is a run anywhere search
| makeresults | eval testValue=0 | eval searchQuery=case(testValue=="0","INFO",testValue=="1","WARN",testValue=="2","ERROR",1==1,"*") | table searchQuery | map search="search index=_internal sourcetype=splunkd log_level=\"$searchQuery$\"| head 1| eval myFilter="\$searchQuery$\"| table _time myFilter _raw"
You can also refer to my recent answer on the same line... https://answers.splunk.com/answers/515546/how-to-create-dynamic-commands-in-search.html#answer-51790...
Splunk Documentation on map command for your reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map
I have to search the events and pull only those records that fall into resolution comparison criteria. That criteria will come from another table cell drill down. It's kind of sla calculation based on this time in each cell..
@k_harini... I have updated my answer with one of the approaches to use eval to set token during table drilldown. You can get your search filter query through case statement in eval.
<eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time<=120",true(),"Resolution Time>2880")</eval>