Hello All,
I've been trying to create a basesearch for my dashboard. I have included all the fields that both queries have in common, labeled the first basesearch as id and the second as a base. I keep getting a "Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key=expression". I also have a question on the tokens are they only supposed to be on the first query under id basesearch? What is wrong here with my basesearches here? thanks in advance.
<form>
<label>Cloned Dashboard </label>
<search id="basesearch"> <----(This is the start of my base search)
<query>
(index=dmx_rapper.xmn $tok_eco_alias$ (team=dev staging="Test" ) OR ( team=Pro ))
| eval HRofstage=case(stage="SentStatus", HRStamp),
| eval ProPriority=case(team="Pro", lookupService),
sentToProHR=case(Type="sentToPro", HRLogged)
| stats earliest(sentToProHR) as sentToProHR latest(HRofstage) as HRofstage values(Duration) as Duration values(lookupService) as lookupService dc(Identifier) as TotalDocs values(Total) as Total values(ProPriority) as Pro_Priority by Identifier
| where Pro_Priority="$tok_rate$"
| eval startTime = strptime(sentToProHR,"%Y-%m-%d %H:%M:%S.%q"), endTime=strptime(HRofstage,"%Y-%m-%d %H:%M:%S.%6N")
| where isNotNull(sentToProHR) AND isNotNull(HRofstage)
| eval Duration = ((endTime-startTime)/60)
| eval ServiceValue=case(lookupService="Low", 3600, lookupService="Medium", 2880, lookupService="High", 1440)
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<title>Service Value Success Count and Percentage </title>
<search base="basesearch"> <----(2nd query for baseserach)
<query> search | eval ServiceValue=if(Duration<=ServiceValue, "Success", "Failure")
| eval Total=case(ServiceValue="Success", Identifier)
| stats dc(Total) as ServiceValue dc(Identifier) as Totals_Received
| eval Percentage=round((ServiceValue/Total_Received)*100)
| eval ServiceValue=tostring(ServiceValue,"commas") . " (" .Percentage."%" . ")"
| table ServiceValue
</query>
</search>
Hi @MeMilo09,
about the first problem there's a comma at the end of an eval command:
| eval HRofstage=case(stage="SentStatus", HRStamp),
About the second question, you can put the token in the part of search where you need to insert, it's better in the main search so you have less results.
In addition it isn't correct to have in the secondary search
<query> search | eval ...
you cannot have search without arguments.
Ciao.
Giuseppe
Hi @MeMilo09,
about the first problem there's a comma at the end of an eval command:
| eval HRofstage=case(stage="SentStatus", HRStamp),
About the second question, you can put the token in the part of search where you need to insert, it's better in the main search so you have less results.
In addition it isn't correct to have in the secondary search
<query> search | eval ...
you cannot have search without arguments.
Ciao.
Giuseppe
Hi @MeMilo09,
good for you and see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉