Solved: How to search with evaluation of value of a field ...

surekhasplunk · ‎02-22-2018

I have few department names in one column which is currently shown in my dashboard.
Then am using drilldown for one of my field

      <condition field="FIELD1">
        <link>/app/search_sample_dashboard/drilldown_dashboard?ba=$row.DepartmentName$</link>
      </condition>
| inputlookup file.csv | search Tower="$ba$" |fields name id bla bla

This is working fine where i am getting the department names as it is.
Now i have got a value "IT Overall" under field departmentnames which is actually "IT Operations" in the lookup file

So while doing a lookup if I pass row.DepartmentName as IT Operations instead of IT Overall it's getting me data.
But as row.DepartmentNames am getting IT Overall.

How to evaluate that particular value before lookup.

493669 · ‎02-22-2018

try if condition:

| inputlookup file.csv|eval tower=if("$ba$"="IT Overall","IT Operations","$ba$")|  search Tower=tower |fields name id ...

here it will check if token is "IT Overall" then make it as "IT Operations" else retain the token and save it in tower field.

View solution in original post

493669 · ‎02-22-2018

try if condition:

| inputlookup file.csv|eval tower=if("$ba$"="IT Overall","IT Operations","$ba$")|  search Tower=tower |fields name id ...

here it will check if token is "IT Overall" then make it as "IT Operations" else retain the token and save it in tower field.

surekhasplunk · ‎02-22-2018

I tried this approach but somehow its not getting the value in tower .
$ba$ is getting the correct value but tower is not holding right value.
So Tower=tower (value is tower and not the exact value "IT Operations"

493669 · ‎02-22-2018

try where clause instead of search

 | inputlookup file.csv|eval tower=if("$ba$"="IT Overall","IT Operations","$ba$")|  where Tower=tower |fields name id ...

surekhasplunk · ‎02-22-2018

@493669

No luck. same issue even with where

493669 · ‎02-22-2018

can you provide what exact query you are trying?
as I have tested below run anywhere search and it's working as expected

index=_internal |eval Sourcetype=if("splunkd"="splunkd","splunkd","splunkd_access")|where sourcetype=Sourcetype

surekhasplunk · ‎02-22-2018

| inputlookup file.csv |eval tower=if("$ba$"="IT Operations Overall","IT Operations","$ba$")| where "CTO Tower"=tower |search "Sourcing Status"="PENDING HR INVOLVEMENT" |fields Requester "Delivery Area" "CRF Role Type"

and when i click on the search to see whats happening with tower value i can see

| inputlookup employeesow.csv |eval tower=if("IT Operations Overall"="IT Operations Overall","IT Operations","IT Operations Overall")| where "CTO Tower"=tower |search "Sourcing Status"="PENDING HR INVOLVEMENT" |fields Requester "Delivery Area" "CRF Role Type"

493669 · ‎02-22-2018

firstly there should not be double quotes around CTO Tower..so try single quotes:

| inputlookup file.csv |eval tower=if("$ba$"="IT Operations Overall","IT Operations","$ba$")| where 'CTO Tower'=tower

surekhasplunk · ‎02-22-2018

Thanks @493669

It worke after changing CTO tower to single quotes. During search i always give double quotes because the field name has space in it.

Thank you so very much it worked now as expected.

493669 · ‎02-22-2018

yes for search you can use double quotes but for where clause with field name having space use single quotes.

How to search with evaluation of value of a field before searching it in inputlookup file during drilldown?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?