Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

If condition in eval token not working?

ktanwar
Explorer
‎10-13-2022 02:38 AM

Hi all,

I have a single value visualisation added in a dashboard. Its background colour depends on the value shown. (Green for 'Pass' and red for 'Fail'). But somehow it's always giving red background eventhough the value is 'Pass'. Here is the code I use:

```

<panel depends="$hide_css$">
<html>
<style>
#verdict rect {
fill: $verdict_background$ !important;
}
#verdict text {
fill: $verdict_foreground$ !important;
}
</style>
</html>
</panel>
<panel>
<single id="verdict">
<search>
<query>index=temp_index
| search splunk_id=$splunk_id$

| eval ver = verdict.$campaigns_included$
| table verdict.$campaigns_included$

</query>
<done>
<eval token="verdict_background">if($result.ver$=="Pass", "green", "red")</eval>
<set token="verdict_foreground">black</set>
</done>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="height">60</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="useColors">1</option>
</single>
</panel>

```

$campaigns_included$ is the value that's chosen on a dropdown. Pls help, any help would be appreciated. @bowesmana requesting for expertise here!

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-15-2022 01:55 PM

Ah, of course, the field name verdict.$campaigns_included$ has a '.' character in the middle, so when using field names with non simple characters in them, you need to wrap the eval statement in single quotes, i.e.

| eval ver = 'verdict.$campaigns_included$'

 if you changed the field name to verdict_$campaigns_included$, then you would not need the double quotes

However, I just realised that you don't need the two fields as they are the same value, so why not just use the single field?

Note that if you do use the single field, then the <eval> token statement will also need to contain the single quotes, although I've not tested that. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ktanwar
Explorer
‎10-16-2022 04:57 AM

This worked. Thanks @bowesmana!

0 Karma
Reply
Solved! Jump to solution

ktanwar
Explorer
‎10-13-2022 02:43 PM

Hi @bowesmana, sadly this isn't working, 

```

table ver verdict.$campaigns_included$

```

this piece of query is creating 2 columns (ver and verdict.$campaigns_included$) but ver column is empty while verdict.$campaigns_included$ column has the value Pass. Not sure what's missing here.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-15-2022 01:55 PM

Ah, of course, the field name verdict.$campaigns_included$ has a '.' character in the middle, so when using field names with non simple characters in them, you need to wrap the eval statement in single quotes, i.e.

| eval ver = 'verdict.$campaigns_included$'

 if you changed the field name to verdict_$campaigns_included$, then you would not need the double quotes

However, I just realised that you don't need the two fields as they are the same value, so why not just use the single field?

Note that if you do use the single field, then the <eval> token statement will also need to contain the single quotes, although I've not tested that. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2022 02:49 AM

You are calculating the ver field

| eval ver = verdict.$campaigns_included$
| table verdict.$campaigns_included$

but your table statement immediately removes it. 

If you want the ver field to be available, you can add a <fields> statement into the XML, however, I don't believe the fields statement can contain dynamic fields based on tokens.

The way to solve this is to do the same search in two searches, the first a hidden table that calculates the two fields and sets the token accordingly, and the second, your original single display, that will just the the hidden search as the base search and just only display the field you want.

Note: Not tested

<table depends="$do_not_display$">
  <search id="verdict_base">
    <query>index=fakt-remote
| search splunk_id=$splunk_id$

| eval ver = verdict.$campaigns_included$
| table ver verdict.$campaigns_included$
    </query>
    <done>
      <eval token="verdict_background">if($result.ver$=="Pass", "green", "red")</eval>
      <set token="verdict_foreground">black</set>
    </done>
  </search>
</table>
<single id="verdict">
  <search base="verdict_base">
    <query>
| table verdict.$campaigns_included$
    </query>
  </search>
  <option name="colorMode">block</option>
  <option name="drilldown">none</option>
  <option name="height">60</option>
  <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
  <option name="rangeValues">[0]</option>
  <option name="useColors">1</option>
</single>

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...