Dashboards & Visualizations

Using eval within a Search Template?

Tisiphone_1
Explorer

Apologies if this is a novice question, but when I attempt to use any eval statement within a form Search Template, nothing appears to work:

    <searchTemplate>

    index=test | eval searchstring = if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") 
  | search index=test $searchstring$

    </searchTemplate>

Is there something obvious that I am doing wrong? I am looking at the eval documentation, and this seems to be precisely how you are supposed to set a value to a variable. Yet, the variable does not seem usable in the next search. When I look at my search results, I see the form variables resolving, but not the one I set in the eval statement.

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You would need:

index=test  [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ]

You can't expand a variable name in the search command. Using a subsearch is a way around that. You also will have much better performance. The other way would have to retrieve the entire index first, then filter it.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You would need:

index=test  [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ]

You can't expand a variable name in the search command. Using a subsearch is a way around that. You also will have much better performance. The other way would have to retrieve the entire index first, then filter it.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Oh I guess you can also use a second subsearch, not sure if that will help.

0 Karma

Tisiphone_1
Explorer

Just FYI, it works great, except for one instance - " " OR (argument) is treated as (any) OR (argument).

I'll find a workaround.

0 Karma

Tisiphone_1
Explorer

Thanks a bunch. That was much more detail than the documentation goes into.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes. The subsearch is implicitly sent to "format" and the resulting string inserted into the search. You can either just concatenate a bigger expression into the value "search". Or you can go back and re-do the whole thing as a macro.

0 Karma

Tisiphone_1
Explorer

OK, so 'search' is actually evaluated and piped back.

What if I want to use more than one IF statement?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should not have the additional search at the end.

0 Karma

Tisiphone_1
Explorer

Hmm,

I am doing index=test [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ] | search index=test $search$

But I always get "The specified search will not match any events"

0 Karma