How to apply icon in foreach command

mah · ‎09-20-2021

Hi,

I am stuck on the end of a search with the foreach command.

Here is my command :

| stats count as count by _time Id statut
| xyseries Id statut count
| fillnull
| foreach count
[ eval <<FIELD>>=case(isnum(<<FIELD>>) AND <<FIELD>>=0,"❌",isnum(<<FIELD>>) AND <<FIELD>>>=1,"✔️",true(),<<FIELD>>)]

it gives me a table with 0 and 1 values but it does not display the icon I put in the foreach command :

Can you help me to troubleshoot please ?

ashvinpandey · ‎09-20-2021

@mah Try using below query at the end for all your fields after changing the field name:

| eval <<field_name>>=if(<<field_name>>=0,"❌","✔️")

Also, If this reply helps you, an upvote would be appreciated.

mah · ‎09-20-2021

@ashvinpandey nothing happened. I tried also to replace the foreach command by an eval like you but no effect.

mah · ‎09-20-2021

@ashvinpandey I tried your eval at the end like this :

| stats count as count by _time Id statut
| xyseries Id statut count
| fillnull
| foreach count
    [ eval <<FIELD>>=case(isnum(<<FIELD>>) AND <<FIELD>>=0,"❌",isnum(<<FIELD>>) AND <<FIELD>>>=1,"✔️",true(),<<FIELD>>)]

| eval count=if(count=0,"","")

But nothing happened ...

I am still getting 1 and 0 values instead of icons.

ashvinpandey · ‎09-20-2021

@mah instead of count in the eval use the exact field name like you showed in the image 3 fields blurred in image *request, *user, update* all 3 fields in three different eval

mah · ‎09-20-2021

@ashvinpandey I tried your solution with adding an eval at the end of the request (and changing the field_name by the 3 of mine) but nothing happened.

Did you tried to simulate the request by your side ?

How to apply icon in foreach command

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!