Thx, ITWhisperer,

I noticed that.

now, I tried to use   where   AFRoute=case  as below:

basically, token can have 3 values,     ALL/*,  Agent/A,  GroupAgent/GA, 

it works when Agent/A, GroupAgent/GA  are selected from dropdown list,  but when ALL/* is selected, it doesn't work.

the following is where clause I used in query,  and the other 3  are when 3 different values are selected, what shown in search.

| where  AFRoute=case($t_TargetType|s$ == "A","true",$t_TargetType|s$ == "GA","false",$t_TargetType|s$ == "*","*")

                             | where  AFRoute=case("*" == "A","true","*" == "GA","false","*" == "*","*")       (  not working)

                             | where  AFRoute=case("GA" == "A","true","GA" == "GA","false","GA" == "*","*")  (working)

                             | where  AFRoute=case("A" == "A","true","A" == "GA","false","A" == "*","*")   (working)

but if I directly add  |  search AFRoute=*,  or |  search AFRoute="*", it works.

Kevin

How are you setting the token?

select it from here.   when GA or A selected, it works fine,  but when ALL/* is selected,  I expected both GA and A  all returned.

Add a change handler to the input to evaluate the setting, and set another token based on it, then use this token in the search. Try something like this

<change>
  <eval token="AFRoute_search">if($t_TargetType$ == "A","true","*")</eval>
</change>

 | search AFRoute=$AFRoute_search|s$

Hi, ITWhisperer,

I used  case($t_TargetType|s$ == "A","true",$t_TargetType|s$ == "GA","false",$t_TargetType|s$ == "*","*")  , instead of   if($t_TargetType$ == "A","true","*")

for 3 selections,  all return:     | search AFRoute="null"

doesn't  eval token support  case($t_TargetType|s$ == "A","true",$t_TargetType|s$ == "GA","false",$t_TargetType|s$ == "*","*")  ???  only support    if($t_TargetType$ == "A","true","*")  ???

<input type="dropdown" token="t_TargetType" searchWhenChanged="true">

      <label>TargetType</label>

      <change>

        <eval token="AFRoute_search">case($t_TargetType|s$ == "A","true",$t_TargetType|s$ == "GA","false",$t_TargetType|s$ == "*","*")</eval>

      </change>

      <choice value="*">ALL</choice>

      <choice value="GA">AgentGroup</choice>

      <choice value="A">Agent</choice>

</input>

  | search AFRoute=$AFRoute_search|s$

   | search AFRoute="null"

Kevin

Just tried, if($t_TargetType$ == "A","true","*") works, 

but I do  need to distinguish the GA and *. , if  case($t_TargetType|s$ == "A","true",$t_TargetType|s$ == "GA","false",$t_TargetType|s$ == "*","*")  is not supported, is there another way to do this?

Kevin

Hi，ITWhisperer,

Sorry for bothering you again.

the following change was working at the first beginning,   for all three selections,  Agent/A, GroupAgent/GA, ALL/*

<eval token="AFRoute_search">if($t_TargetType|s$ == "A","true",if($t_TargetType|s$ == "GA","false","*"))</eval>

then, not sure what other change I made, I noticed it stopped working today.  

all three selections all have |search AFRoute= $AFRoute_search|s$ ,  shown in search  |search AFRoute= *

the only change  I thought might be related is  I added TargetTypeID in TargetType Input, just for associating style/css purpose.

I even removed it to test if it has anything to do with "search AFRoute= *" issue,

but obviously, issue still there.

is there anyway to troubleshoot this?  why  3 selection all returned  search AFRoute= *  ???

Kevin

So, you changed something - what is the SimpleXML code for your dropdown now?

Hi, ITWhisperer,

the only change I thought might be related is  I added  id="TargetTypeID" , which is for associating style/css purposes.  but I tried to remove it,  it still doesn't work as it worked at the beginning.

   <input id="TargetTypeID" type="dropdown" token="t_TargetType" searchWhenChanged="true">

      <label>TargetType</label>

      <change>

        <eval token="AFRoute_search">if($t_TargetType|s$ == "A","true",if($t_TargetType|s$ == "GA","false","*"))</eval>

      </change>

      <choice value="*">ALL</choice>

      <choice value="GA">GroupAgent</choice>

      <choice value="A">Agent</choice>

      <default>*</default>

      <initialValue>*</initialValue>

</input>

search string using this TargetType token handler  is no change as below:

 | search AFRoute=$AFRoute_search|s$

when I opened search from dashboard, I remember I used to be able to see the full expression like the following expression in search based on dropdown list selection: 

                             | where  AFRoute=case("*" == "A","true","*" == "GA","false","*" == ".","*")

                             | where  AFRoute=case("GA" == "A","true","GA" == "GA","false","GA" == "*","*")

                             | where  AFRoute=case("A" == "A","true","A" == "GA","false","A" == "*","*")

    which is helpful for troubleshooting,  but now I can only see the result    | search AFRoute=*

Kevin

Besides，  the original token t_TargetType still works fine.

not sure why its value not passed token handler  AFRoute_search, or always * passed

Kevin

 | where  AFRoute=case("*" == "A","true","*" == "GA","false","*" == ".","*")

 | where  AFRoute=case("GA" == "A","true","GA" == "GA","false","GA" == "*","*")

  | where  AFRoute=case("A" == "A","true","A" == "GA","false","A" == "*","*"),

these expressions are just examples I tried to show what I meant full expression with dynamic dropdown list selections,  now , I didn't use case expression in my token handler, still using your nesting if there.

thx, will try.

Kevin

What does the simpleXML look like?

noticed something interesting,  when I changed this dropdown selection,  the panel using the original token for this TargetType started refreshing, but the panel using this token handler no refreshing.

besides, I have some other search clause , which uses | search  fieldname =  $tokenname$,  why this one uses $tokenhandlername|s$？

Kevin

the following is the query including    | search AFRoute=$AFRoute_search|s$

sourcetype="omni:ors:voice" $Gucid_token$ $t_ENT_Segment$ "IN THE TARGETING: Routing Target constructed as"

| rex field=_raw "vVQ  =(?<ENT_VQ>.*?)\'"

| rex field=_raw "constructed as:<\/br>(?<Target>.*?)<\/"

| eval Target=if(substr(Target,1,34)=="UHC>0 & GovtPrograms>0 & Sales>0 &",substr(Target,35),Target)

| eval TargeValidator = Target

| rex mode=sed field=TargeValidator "s/(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>0|[1-9]\d*)//g"

| eval VResult = if(match(TargeValidator,"[\d\w]"),"FALSE","TRUE")

| where match(VResult,$t_TargetSEValidation|s$)

| rex field=_raw "Call Priority is adjusted to (?<Priority>\d{1,3}?)<\/"

| eval sid = substr(sid,2,32)

| eval id=sid

| search ENT_VQ=$t_VQ$

| sort by id,_time asc

| streamstats count as SEInx by sid

| where SEInx > $skillexpressionLength$

| eval sid=if(SEInx=1,id,null())

| sort 0 -_time

| streamstats last(_time) AS end_epoch current=f

| eval end_time=strftime(end_epoch, "%Y-%m-%d %H:%M:%S")

| eval start_time=strftime(_time, "%Y-%m-%d %H:%M:%S")

| eval time_range=start_time." - ".end_time

| eval Dura=end_epoch-_time

| eval ENT_VQ=if(substr(ENT_VQ,1,26)=="VQ_UHC_GovtPrograms_Sales_",substr(ENT_VQ,27),ENT_VQ)

| sort 0 _time

| table _time,sid, id,SEInx,Dura,Target,VResult,ENT_VQ,Priority

| sort by id,_time asc

| join id

    [ search index="cba_omni" sourcetype="omni:ors:voice" "Call to URS Function FetchConfigsOnDN completed"

    | rex field=_raw "sid='(?<id>\w{20,40})'"

    | rex field=_raw "env\\\":\\\"(?<ENV>\w{2,20})\\\""

    | search ENV=$t_ENV_SelectedTarget$

    | table _time,ENV,id ]

| eval sid = substr(sid,24,32)

| join id

    [ search index="cba_omni" source="*ors*" "IN THE ROUTING: ROUTING CODE COMPLETED at Exit_IXN_Deleted" GovtPrograms

    | rex field=_raw "sid='(?<id>\w{20,40})'"

    | rex field=_raw "Routed:\\\"(?<Routed>\w{1,5})\\\""

    | rex field=_raw "ENT_AfinitiStatus:\\\"(?<AFStatus>\w{2,10})\\\""

    | rex field=_raw "ENT_AfinitiRoute:\\\"(?<AFRoute>\w{4,10})\\\""

    | rex field=_raw "TargetLoopCnt:(?<TLCnt>\w{1,3})"

                | search AFRoute=$AFRoute_search|s$

    | table _time,id,AFRoute,TLCnt]

| eval StartDTM_epoch = relative_time(_time,"-20m")

| eval EndDTM_epoch = relative_time(_time,"+20m")

| table _time,ENV,sid, id,SEInx,Dura,Target,AFRoute,TLCnt,VResult,ENT_VQ,Priority,StartDTM_epoch,EndDTM_epoch

| sort by id,_time asc