Solved: How to use my eval search within a form input in m...

akocak · ‎05-22-2017

Hi, thanks upfront for your time,
I have a dashboard with a form input "compare this week vs last week and "compare month vs this month"

<input type="dropdown" token="compare_time">
      <label>Comparison:</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="w">This Week vs Last Week</choice>
      <choice value="month">This Month vs Last Month</choice>
    </input>

I create earliest and latest with evals as:

|eval compare_time="w" #for testing
|eval firsttime = "earliest=-".compare_time."@".compare_time." latest=@".compare_time
|eval timediff=if((compare_time="w"),604800,2419200)
|eval secondtime="earliest=@".compare_time." latest=now"|table firsttime timediff secondtime

I can get the values I desire on table. However, I can't start my search with these evals that will generate right search times from form input.
please help me use these inputs in my actual search. it should be something like:

| eval firsttime = "earliest=-".$compare_time$."@".$compare_time$." latest=@".$compare_time$
|eval timediff=if(($compare_time$="w"),604800,2419200)
|eval secondtime="earliest=@".$compare_time$." latest=now"
|search [index=x user=$user$ $firsttime$
| multikv | bin _time span=1d| eval reportKey="PreviousAvg"| eval _time=_time + $timediff$ 
]| append [search index=x user=$user$ $secondtime$
| multikv|eval reportKey="CurrentAvg" |bin _time span=1d] 
| timechart avg(duration) as Average by reportKey

lguinn2 · ‎05-22-2017

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

lguinn2 · ‎05-22-2017

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

akocak · ‎05-23-2017

Thanks for the answer, Apparently, I was looking for how to create multi-token dropdown choice input. I adapted your solution to my dashboard and it works. Thanks again

How to use my eval search within a form input in my dashboard?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

How to use my eval search within a form input in my dashboard?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...