Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If condition in eval token not working?

ktanwar
Explorer
‎10-13-2022 02:38 AM

Hi all,

I have a single value visualisation added in a dashboard. Its background colour depends on the value shown. (Green for 'Pass' and red for 'Fail'). But somehow it's always giving red background eventhough the value is 'Pass'. Here is the code I use:

```

<panel depends="$hide_css$">
<html>
<style>
#verdict rect {
fill: $verdict_background$ !important;
}
#verdict text {
fill: $verdict_foreground$ !important;
}
</style>
</html>
</panel>
<panel>
<single id="verdict">
<search>
<query>index=temp_index
| search splunk_id=$splunk_id$

| eval ver = verdict.$campaigns_included$
| table verdict.$campaigns_included$

</query>
<done>
<eval token="verdict_background">if($result.ver$=="Pass", "green", "red")</eval>
<set token="verdict_foreground">black</set>
</done>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="height">60</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="useColors">1</option>
</single>
</panel>

```

$campaigns_included$ is the value that's chosen on a dropdown. Pls help, any help would be appreciated. @bowesmana requesting for expertise here!

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-15-2022 01:55 PM

Ah, of course, the field name verdict.$campaigns_included$ has a '.' character in the middle, so when using field names with non simple characters in them, you need to wrap the eval statement in single quotes, i.e.

| eval ver = 'verdict.$campaigns_included$'

 if you changed the field name to verdict_$campaigns_included$, then you would not need the double quotes

However, I just realised that you don't need the two fields as they are the same value, so why not just use the single field?

Note that if you do use the single field, then the <eval> token statement will also need to contain the single quotes, although I've not tested that. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ktanwar
Explorer
‎10-16-2022 04:57 AM

This worked. Thanks @bowesmana!

0 Karma
Reply
Solved! Jump to solution

ktanwar
Explorer
‎10-13-2022 02:43 PM

Hi @bowesmana, sadly this isn't working, 

```

table ver verdict.$campaigns_included$

```

this piece of query is creating 2 columns (ver and verdict.$campaigns_included$) but ver column is empty while verdict.$campaigns_included$ column has the value Pass. Not sure what's missing here.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-15-2022 01:55 PM

Ah, of course, the field name verdict.$campaigns_included$ has a '.' character in the middle, so when using field names with non simple characters in them, you need to wrap the eval statement in single quotes, i.e.

| eval ver = 'verdict.$campaigns_included$'

 if you changed the field name to verdict_$campaigns_included$, then you would not need the double quotes

However, I just realised that you don't need the two fields as they are the same value, so why not just use the single field?

Note that if you do use the single field, then the <eval> token statement will also need to contain the single quotes, although I've not tested that. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2022 02:49 AM

You are calculating the ver field

| eval ver = verdict.$campaigns_included$
| table verdict.$campaigns_included$

but your table statement immediately removes it. 

If you want the ver field to be available, you can add a <fields> statement into the XML, however, I don't believe the fields statement can contain dynamic fields based on tokens.

The way to solve this is to do the same search in two searches, the first a hidden table that calculates the two fields and sets the token accordingly, and the second, your original single display, that will just the the hidden search as the base search and just only display the field you want.

Note: Not tested

<table depends="$do_not_display$">
  <search id="verdict_base">
    <query>index=fakt-remote
| search splunk_id=$splunk_id$

| eval ver = verdict.$campaigns_included$
| table ver verdict.$campaigns_included$
    </query>
    <done>
      <eval token="verdict_background">if($result.ver$=="Pass", "green", "red")</eval>
      <set token="verdict_foreground">black</set>
    </done>
  </search>
</table>
<single id="verdict">
  <search base="verdict_base">
    <query>
| table verdict.$campaigns_included$
    </query>
  </search>
  <option name="colorMode">block</option>
  <option name="drilldown">none</option>
  <option name="height">60</option>
  <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
  <option name="rangeValues">[0]</option>
  <option name="useColors">1</option>
</single>

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...