Dashboards & Visualizations

Creating a base search for dashboard

MeMilo09
Path Finder

Hello All, 

 

I've been trying to create a basesearch for my dashboard. I have included all the fields that both queries have in common, labeled the first basesearch as id and the second as a base. I keep getting a "Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key=expression". I also have a question on the tokens are they only supposed to be on the first query under id basesearch?  What is wrong here with my basesearches here? thanks in advance. 

 

 

<form>

  <label>Cloned Dashboard </label>

  <search id="basesearch"> <----(This is the start of my base search)

    <query>

      (index=dmx_rapper.xmn  $tok_eco_alias$  (team=dev staging="Test" )    OR ( team=Pro  ))

 

| eval HRofstage=case(stage="SentStatus", HRStamp),

| eval ProPriority=case(team="Pro", lookupService),

sentToProHR=case(Type="sentToPro", HRLogged)

 

| stats earliest(sentToProHR) as sentToProHR latest(HRofstage) as HRofstage values(Duration) as Duration values(lookupService) as lookupService  dc(Identifier) as TotalDocs values(Total) as Total values(ProPriority) as Pro_Priority by Identifier

 

| where Pro_Priority="$tok_rate$"

 

| eval startTime = strptime(sentToProHR,"%Y-%m-%d %H:%M:%S.%q"), endTime=strptime(HRofstage,"%Y-%m-%d %H:%M:%S.%6N")

| where isNotNull(sentToProHR)  AND isNotNull(HRofstage)

| eval Duration = ((endTime-startTime)/60) 

| eval ServiceValue=case(lookupService="Low", 3600, lookupService="Medium", 2880,  lookupService="High", 1440)

 

    </query>

    <earliest>$time_range.earliest$</earliest>

    <latest>$time_range.latest$</latest>

   

     <title>Service Value Success Count and Percentage </title>

        <search base="basesearch"> <----(2nd query for baseserach)

          <query> search | eval ServiceValue=if(Duration&lt;=ServiceValue, "Success", "Failure")

         

| eval Total=case(ServiceValue="Success", Identifier)

 

| stats  dc(Total) as ServiceValue dc(Identifier) as Totals_Received

| eval Percentage=round((ServiceValue/Total_Received)*100)

| eval ServiceValue=tostring(ServiceValue,"commas") . " (" .Percentage."%" . ")"

| table ServiceValue

</query>

        

        </search>

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @MeMilo09,

about the first problem there's a comma at the end of an eval command:

| eval HRofstage=case(stage="SentStatus", HRStamp),

About the second question, you can put the token in the part of search where you need to insert, it's better in the main search so you have less results.

In addition it isn't correct to have in the secondary search 

<query> search | eval ...

you cannot have search without arguments.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MeMilo09,

about the first problem there's a comma at the end of an eval command:

| eval HRofstage=case(stage="SentStatus", HRStamp),

About the second question, you can put the token in the part of search where you need to insert, it's better in the main search so you have less results.

In addition it isn't correct to have in the secondary search 

<query> search | eval ...

you cannot have search without arguments.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MeMilo09,

good for you and see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...