Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval = Token, query to dashboard does not work

antonio147
Communicator
‎11-24-2021 12:54 AM

Hi,
I can't understand why this query works in search while if I insert it in the dashboard it doesn't work.
I assign the option chosen in the filter to the month variable, then I verify the choice and, based on what has been chosen, I have the sum of the X_MESE_PREVIOUS columns or the chosen month returned.
The options are "Solar Year", "Fiscal Year" and the months.
Where am I wrong?
Why it does not work ?
Tks
Antonio

---------------------------------------------------------

| loadjob savedsearch="antonio:enterprise:20211025_PASSAGGIO_AGGREGATO_DATE"


|where (sourcetype="fs_ampliamenti_ip" AND OFFERTA="DIRETTA" AND STATO="OK") OR (sourcetype= "fs_diretta" AND TIPOLOGIA="SUBNETIP" AND OFFERTA="DIRETTA" AND STATO="OK")
|eval MESEATTUALE=strftime(relative_time(now(), "-0d@d"), "%m")
|eval MESEATTUALE= 11
|eval mese="Anno Fiscale" (manual setting of the chosen filter)

|eval ANNOFISCALE=if(MESEATTUALE -3 <= 0,MESEATTUALE-3+12,MESEATTUALE-3)
|rename PROGRESSIVO_MESE as "0_MESE_PRECEDENTE"

|eval SOLARE = mvappend($0_MESE_PRECEDENTE$,$1_MESE_PRECEDENTE$,$2_MESE_PRECEDENTE$,$3_MESE_PRECEDENTE$,$4_MESE_PRECEDENTE$,$5_MESE_PRECEDENTE$,$6_MESE_PRECEDENTE$,$7_MESE_PRECEDENTE$, $8_MESE_PRECEDENTE$,$9_MESE_PRECEDENTE$,$10_MESE_PRECEDENTE$,$11_MESE_PRECEDENTE$,$12_MESE_PRECEDENTE$)

| eval FISCALE=0
| foreach *_MESE_PRECEDENTE [|eval FISCALE = if (<<MATCHSTR>> < ANNOFISCALE, FISCALE + '<<FIELD>>', FISCALE)]

| eval CHI=case(
mese="0_MESE_PRECEDENTE", $0_MESE_PRECEDENTE$ ,
mese="1_MESE_PRECEDENTE", $1_MESE_PRECEDENTE$ ,
mese="2_MESE_PRECEDENTE",$2_MESE_PRECEDENTE$ ,
mese="3_MESE_PRECEDENTE",$3_MESE_PRECEDENTE$ ,
mese="4_MESE_PRECEDENTE",$4_MESE_PRECEDENTE$ ,
mese="5_MESE_PRECEDENTE",$5_MESE_PRECEDENTE$ ,
mese="6_MESE_PRECEDENTE",$6_MESE_PRECEDENTE$ ,
mese="7_MESE_PRECEDENTE",$7_MESE_PRECEDENTE$ ,
mese="8_MESE_PRECEDENTE",$8_MESE_PRECEDENTE$ ,
mese="9_MESE_PRECEDENTE",$9_MESE_PRECEDENTE$ ,
mese="10_MESE_PRECEDENTE",$10_MESE_PRECEDENTE$ ,
mese="11_MESE_PRECEDENTE",$11_MESE_PRECEDENTE$ ,
mese="12_MESE_PRECEDENTE",$12_MESE_PRECEDENTE$ ,
mese="Anno Solare",$SOLARE$ ,
mese="Anno Fiscale",$FISCALE$ ,
1=1, "INV")

|eval RIS = case(
mese = "Anno Fiscale", FISCALE,
mese = "Anno Solare", SOLARE,
1=1, CHI)

| stats sum(RIS) as RISULTATO
|table RISULTATO

------------------------------------------------

<query>| loadjob savedsearch="antonio:enterprise:20211025_PASSAGGIO_AGGREGATO_DATE"


|where (sourcetype="fs_ampliamenti_ip" AND OFFERTA="DIRETTA" AND STATO="OK") OR (sourcetype= "fs_diretta" AND TIPOLOGIA="SUBNETIP" AND OFFERTA="DIRETTA" AND STATO="OK")
|eval MESEATTUALE=strftime(relative_time(now(), "-0d@d"), "%m")

|eval mese="$previousmonth$" (this is the token, chosen filter)

|eval ANNOFISCALE=if(MESEATTUALE -3 &lt;= 0,MESEATTUALE-3+12,MESEATTUALE-3)
|rename PROGRESSIVO_MESE as "0_MESE_PRECEDENTE"

|eval SOLARE = mvappend($$0_MESE_PRECEDENTE$$,$$1_MESE_PRECEDENTE$$,$$2_MESE_PRECEDENTE$$,$$3_MESE_PRECEDENTE$$,$$4_MESE_PRECEDENTE$$,$$5_MESE_PRECEDENTE$$,$$6_MESE_PRECEDENTE$$,$$7_MESE_PRECEDENTE$$, $$8_MESE_PRECEDENTE$$,$$9_MESE_PRECEDENTE$$,$$10_MESE_PRECEDENTE$$,$$11_MESE_PRECEDENTE$$,$$12_MESE_PRECEDENTE$$)

| eval FISCALE=0
| foreach *_MESE_PRECEDENTE [|eval FISCALE = if (&lt;&lt;MATCHSTR&gt;&gt; &lt; ANNOFISCALE, FISCALE + '&lt;&lt;FIELD&gt;&gt;', FISCALE)]

| eval CHI=case(
mese="0_MESE_PRECEDENTE", $$0_MESE_PRECEDENTE$$ ,
mese="1_MESE_PRECEDENTE", $$1_MESE_PRECEDENTE$$ ,
mese="2_MESE_PRECEDENTE",$$2_MESE_PRECEDENTE$$ ,
mese="3_MESE_PRECEDENTE",$$3_MESE_PRECEDENTE$$ ,
mese="4_MESE_PRECEDENTE",$$4_MESE_PRECEDENTE$$ ,
mese="5_MESE_PRECEDENTE",$$5_MESE_PRECEDENTE$$ ,
mese="6_MESE_PRECEDENTE",$$6_MESE_PRECEDENTE$$ ,
mese="7_MESE_PRECEDENTE",$$7_MESE_PRECEDENTE$$ ,
mese="8_MESE_PRECEDENTE",$$8_MESE_PRECEDENTE$$ ,
mese="9_MESE_PRECEDENTE",$$9_MESE_PRECEDENTE$$ ,
mese="10_MESE_PRECEDENTE",$$10_MESE_PRECEDENTE$$ ,
mese="11_MESE_PRECEDENTE",$$11_MESE_PRECEDENTE$$ ,
mese="12_MESE_PRECEDENTE",$$12_MESE_PRECEDENTE$$ ,
mese="Anno Solare",$$SOLARE$$ ,
mese="Anno Fiscale",$$FISCALE$$ ,
1=1, "INV")

|eval RIS = case(
mese = "Anno Fiscale", FISCALE,
mese = "Anno Solare", SOLARE,
1=1, CHI)

| stats sum(RIS) as RISULTATO
|table RISULTATO</query>

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 01:35 AM

Can you share the code which sets the previousmonth token please?

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 01:35 AM

Can you share the code which sets the previousmonth token please?

Reply
Solved! Jump to solution

antonio147
Communicator
‎11-24-2021 02:05 AM

I think I have solved 🙂
In the Static Options the Fiscal Year and Solar Year values have FY and Y respectively.
In the query instead I set month = "Fiscal Year" instead of "FY" and so also in the Solar year.
Now it returns me the correct values
Thanks anyway to ITWhisperer for your interest

0 Karma
Reply
Solved! Jump to solution

antonio147
Communicator
‎11-24-2021 01:44 AM

<input type="dropdown" token="previousmonth">
<label>MESE</label>!--
#
# FILTRO MESI con aggiunta dell'Anno Solare e Fiscale
#
--!
<search>
<query>| makeresults
| eval mon=mvrange(1, 13)
| mvexpand mon
| eval mon=mon-1
| eval month=if(mon&gt;0,(0-mon)."mon","")
| eval fieldname=if(mon&gt;0,mon."_MESE_PRECEDENTE","0_MESE_PRECEDENTE")
| eval _time=relative_time(_time,month."@mon")
| eval month=strftime(_time,"%B")

| table month fieldname</query>
</search>
<fieldForLabel>month</fieldForLabel>
<fieldForValue>fieldname</fieldForValue>
<change>
<eval token="chosenmonth">$label$</eval>
</change>
<selectFirstChoice>true</selectFirstChoice>
<choice value="FY">Anno Fiscale</choice>
<choice value="Y">Anno Solare</choice>
<initialValue>0_MESE_PRECEDENTE</initialValue>
</input>

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...