Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

eval = Token, query to dashboard does not work

antonio147
Communicator
‎11-24-2021 12:54 AM

Hi,
I can't understand why this query works in search while if I insert it in the dashboard it doesn't work.
I assign the option chosen in the filter to the month variable, then I verify the choice and, based on what has been chosen, I have the sum of the X_MESE_PREVIOUS columns or the chosen month returned.
The options are "Solar Year", "Fiscal Year" and the months.
Where am I wrong?
Why it does not work ?
Tks
Antonio

---------------------------------------------------------

| loadjob savedsearch="antonio:enterprise:20211025_PASSAGGIO_AGGREGATO_DATE"


|where (sourcetype="fs_ampliamenti_ip" AND OFFERTA="DIRETTA" AND STATO="OK") OR (sourcetype= "fs_diretta" AND TIPOLOGIA="SUBNETIP" AND OFFERTA="DIRETTA" AND STATO="OK")
|eval MESEATTUALE=strftime(relative_time(now(), "-0d@d"), "%m")
|eval MESEATTUALE= 11
|eval mese="Anno Fiscale" (manual setting of the chosen filter)

|eval ANNOFISCALE=if(MESEATTUALE -3 <= 0,MESEATTUALE-3+12,MESEATTUALE-3)
|rename PROGRESSIVO_MESE as "0_MESE_PRECEDENTE"

|eval SOLARE = mvappend($0_MESE_PRECEDENTE$,$1_MESE_PRECEDENTE$,$2_MESE_PRECEDENTE$,$3_MESE_PRECEDENTE$,$4_MESE_PRECEDENTE$,$5_MESE_PRECEDENTE$,$6_MESE_PRECEDENTE$,$7_MESE_PRECEDENTE$, $8_MESE_PRECEDENTE$,$9_MESE_PRECEDENTE$,$10_MESE_PRECEDENTE$,$11_MESE_PRECEDENTE$,$12_MESE_PRECEDENTE$)

| eval FISCALE=0
| foreach *_MESE_PRECEDENTE [|eval FISCALE = if (<<MATCHSTR>> < ANNOFISCALE, FISCALE + '<<FIELD>>', FISCALE)]

| eval CHI=case(
mese="0_MESE_PRECEDENTE", $0_MESE_PRECEDENTE$ ,
mese="1_MESE_PRECEDENTE", $1_MESE_PRECEDENTE$ ,
mese="2_MESE_PRECEDENTE",$2_MESE_PRECEDENTE$ ,
mese="3_MESE_PRECEDENTE",$3_MESE_PRECEDENTE$ ,
mese="4_MESE_PRECEDENTE",$4_MESE_PRECEDENTE$ ,
mese="5_MESE_PRECEDENTE",$5_MESE_PRECEDENTE$ ,
mese="6_MESE_PRECEDENTE",$6_MESE_PRECEDENTE$ ,
mese="7_MESE_PRECEDENTE",$7_MESE_PRECEDENTE$ ,
mese="8_MESE_PRECEDENTE",$8_MESE_PRECEDENTE$ ,
mese="9_MESE_PRECEDENTE",$9_MESE_PRECEDENTE$ ,
mese="10_MESE_PRECEDENTE",$10_MESE_PRECEDENTE$ ,
mese="11_MESE_PRECEDENTE",$11_MESE_PRECEDENTE$ ,
mese="12_MESE_PRECEDENTE",$12_MESE_PRECEDENTE$ ,
mese="Anno Solare",$SOLARE$ ,
mese="Anno Fiscale",$FISCALE$ ,
1=1, "INV")

|eval RIS = case(
mese = "Anno Fiscale", FISCALE,
mese = "Anno Solare", SOLARE,
1=1, CHI)

| stats sum(RIS) as RISULTATO
|table RISULTATO

------------------------------------------------

<query>| loadjob savedsearch="antonio:enterprise:20211025_PASSAGGIO_AGGREGATO_DATE"


|where (sourcetype="fs_ampliamenti_ip" AND OFFERTA="DIRETTA" AND STATO="OK") OR (sourcetype= "fs_diretta" AND TIPOLOGIA="SUBNETIP" AND OFFERTA="DIRETTA" AND STATO="OK")
|eval MESEATTUALE=strftime(relative_time(now(), "-0d@d"), "%m")

|eval mese="$previousmonth$" (this is the token, chosen filter)

|eval ANNOFISCALE=if(MESEATTUALE -3 &lt;= 0,MESEATTUALE-3+12,MESEATTUALE-3)
|rename PROGRESSIVO_MESE as "0_MESE_PRECEDENTE"

|eval SOLARE = mvappend($$0_MESE_PRECEDENTE$$,$$1_MESE_PRECEDENTE$$,$$2_MESE_PRECEDENTE$$,$$3_MESE_PRECEDENTE$$,$$4_MESE_PRECEDENTE$$,$$5_MESE_PRECEDENTE$$,$$6_MESE_PRECEDENTE$$,$$7_MESE_PRECEDENTE$$, $$8_MESE_PRECEDENTE$$,$$9_MESE_PRECEDENTE$$,$$10_MESE_PRECEDENTE$$,$$11_MESE_PRECEDENTE$$,$$12_MESE_PRECEDENTE$$)

| eval FISCALE=0
| foreach *_MESE_PRECEDENTE [|eval FISCALE = if (&lt;&lt;MATCHSTR&gt;&gt; &lt; ANNOFISCALE, FISCALE + '&lt;&lt;FIELD&gt;&gt;', FISCALE)]

| eval CHI=case(
mese="0_MESE_PRECEDENTE", $$0_MESE_PRECEDENTE$$ ,
mese="1_MESE_PRECEDENTE", $$1_MESE_PRECEDENTE$$ ,
mese="2_MESE_PRECEDENTE",$$2_MESE_PRECEDENTE$$ ,
mese="3_MESE_PRECEDENTE",$$3_MESE_PRECEDENTE$$ ,
mese="4_MESE_PRECEDENTE",$$4_MESE_PRECEDENTE$$ ,
mese="5_MESE_PRECEDENTE",$$5_MESE_PRECEDENTE$$ ,
mese="6_MESE_PRECEDENTE",$$6_MESE_PRECEDENTE$$ ,
mese="7_MESE_PRECEDENTE",$$7_MESE_PRECEDENTE$$ ,
mese="8_MESE_PRECEDENTE",$$8_MESE_PRECEDENTE$$ ,
mese="9_MESE_PRECEDENTE",$$9_MESE_PRECEDENTE$$ ,
mese="10_MESE_PRECEDENTE",$$10_MESE_PRECEDENTE$$ ,
mese="11_MESE_PRECEDENTE",$$11_MESE_PRECEDENTE$$ ,
mese="12_MESE_PRECEDENTE",$$12_MESE_PRECEDENTE$$ ,
mese="Anno Solare",$$SOLARE$$ ,
mese="Anno Fiscale",$$FISCALE$$ ,
1=1, "INV")

|eval RIS = case(
mese = "Anno Fiscale", FISCALE,
mese = "Anno Solare", SOLARE,
1=1, CHI)

| stats sum(RIS) as RISULTATO
|table RISULTATO</query>

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 01:35 AM

Can you share the code which sets the previousmonth token please?

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 01:35 AM

Can you share the code which sets the previousmonth token please?

Reply
Solved! Jump to solution

antonio147
Communicator
‎11-24-2021 02:05 AM

I think I have solved 🙂
In the Static Options the Fiscal Year and Solar Year values have FY and Y respectively.
In the query instead I set month = "Fiscal Year" instead of "FY" and so also in the Solar year.
Now it returns me the correct values
Thanks anyway to ITWhisperer for your interest

0 Karma
Reply
Solved! Jump to solution

antonio147
Communicator
‎11-24-2021 01:44 AM

<input type="dropdown" token="previousmonth">
<label>MESE</label>!--
#
# FILTRO MESI con aggiunta dell'Anno Solare e Fiscale
#
--!
<search>
<query>| makeresults
| eval mon=mvrange(1, 13)
| mvexpand mon
| eval mon=mon-1
| eval month=if(mon&gt;0,(0-mon)."mon","")
| eval fieldname=if(mon&gt;0,mon."_MESE_PRECEDENTE","0_MESE_PRECEDENTE")
| eval _time=relative_time(_time,month."@mon")
| eval month=strftime(_time,"%B")

| table month fieldname</query>
</search>
<fieldForLabel>month</fieldForLabel>
<fieldForValue>fieldname</fieldForValue>
<change>
<eval token="chosenmonth">$label$</eval>
</change>
<selectFirstChoice>true</selectFirstChoice>
<choice value="FY">Anno Fiscale</choice>
<choice value="Y">Anno Solare</choice>
<initialValue>0_MESE_PRECEDENTE</initialValue>
</input>

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...