Solved: How to use my eval search within a form input in m...

akocak · ‎05-22-2017

Hi, thanks upfront for your time,
I have a dashboard with a form input "compare this week vs last week and "compare month vs this month"

<input type="dropdown" token="compare_time">
      <label>Comparison:</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="w">This Week vs Last Week</choice>
      <choice value="month">This Month vs Last Month</choice>
    </input>

I create earliest and latest with evals as:

|eval compare_time="w" #for testing
|eval firsttime = "earliest=-".compare_time."@".compare_time." latest=@".compare_time
|eval timediff=if((compare_time="w"),604800,2419200)
|eval secondtime="earliest=@".compare_time." latest=now"|table firsttime timediff secondtime

I can get the values I desire on table. However, I can't start my search with these evals that will generate right search times from form input.
please help me use these inputs in my actual search. it should be something like:

| eval firsttime = "earliest=-".$compare_time$."@".$compare_time$." latest=@".$compare_time$
|eval timediff=if(($compare_time$="w"),604800,2419200)
|eval secondtime="earliest=@".$compare_time$." latest=now"
|search [index=x user=$user$ $firsttime$
| multikv | bin _time span=1d| eval reportKey="PreviousAvg"| eval _time=_time + $timediff$ 
]| append [search index=x user=$user$ $secondtime$
| multikv|eval reportKey="CurrentAvg" |bin _time span=1d] 
| timechart avg(duration) as Average by reportKey

lguinn2 · ‎05-22-2017

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

lguinn2 · ‎05-22-2017

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

akocak · ‎05-23-2017

Thanks for the answer, Apparently, I was looking for how to create multi-token dropdown choice input. I adapted your solution to my dashboard and it works. Thanks again

How to use my eval search within a form input in my dashboard?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation