Solved: help on eval command linked to a time input token

jip31 · ‎01-24-2022

hi

as you can see in my xml, I use an eval command in order to define an health status

this eval command is linked to a token time

now I would like to correlate the rule of my eval command with the time token

For example, if I choose the "last 7 days" in my time token, the hang has to be > 5 and the crash > 2

But if i choose the "last 30 days" in my time token, the hang has to be > 1 and the crash > 4

how to do this please?

<form theme="dark">
  <search id="bib">
    <query> index=toto ((sourcetype="hang") OR ( sourcetype="titi") 
    OR (sourcetype="tutu" web_app_duration_avg_ms &gt; 7000)) 
  </query>
    <earliest>$date.earliest$</earliest>
    <latest>$date.latest$</latest>
  </search>
    <input type="time" token="date" searchWhenChanged="true">
      <label>Période</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  
  <row>
    <panel>
      <single>
        <search base="bib">
          <query>| stats count(hang_process_name) as hang, count(crash_process_name) as crash by site 
| eval sante=if((hang&gt;5) AND (crash&gt;2), "Etat de santé dégradé","Etat de santé acceptable") 
</query>
        </search>

ITWhisperer · ‎01-26-2022

Change the title to investigate the value of the label

      <label>$pickerlabel$</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition label="Last 30 days">
          <eval token="pickerlabel">label</eval>
          <set token="hangmin">200</set>
          <set token="crashmin">200</set>
        </condition>
        <condition label="Last 7 days">
          <eval token="pickerlabel">label</eval>
          <set token="hangmin">100</set>
          <set token="crashmin">100</set>
        </condition>
        <condition>
          <!-- Default values for these tokens -->
          <eval token="pickerlabel">label</eval>
          <set token="hangmin">1</set>
          <set token="crashmin">1</set>
        </condition>
      </change>

View solution in original post

ITWhisperer · ‎01-25-2022

Add a change handler to the timepicker:

      <change>
        <condition label="Last 30 days">
          <set token="hangmin">1</set>
          <set token="crashmin">4</set>
        </condition>
        <condition label="Last 7 days">
          <set token="hangmin">5</set>
          <set token="crashmin">2</set>
        </condition>

However, some of the labels don't equate to what you might expect. For example, "Last 7 days" from the presets ends up with a label of "Custom time" (at least in the version of Splunk I am using), but if you use relative 7 days ago to now snapped to start of day, you can get a label of "Last 7 days"

jip31 · ‎01-25-2022

sorry I dont understand to apply

what I have to modif in my eval command?

<form>
  <label>SANTE</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>sss</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=toto sourcetype=tutu
| stats count(hang_process_name) as hang, count(crash_process_name) as crash by site 
| eval sante=if((hang&gt;5) AND (crash&gt;2), "Etat de santé dégradé","Etat de santé acceptable")  
| eval severity=if(sante="Etat de santé dégradé",1,0) 
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">50</option>
      </single>
    </panel>
  </row>
</form>

ITWhisperer · ‎01-26-2022

<form>
  <label>SANTE</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>sss</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition label="Last 30 days">
          <set token="hangmin">1</set>
          <set token="crashmin">4</set>
        </condition>
        <condition label="Last 7 days">
          <set token="hangmin">5</set>
          <set token="crashmin">2</set>
        </condition>
        <condition><!-- Default values for these tokens -->
          <set token="hangmin">1</set>
          <set token="crashmin">1</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=toto sourcetype=tutu
| stats count(hang_process_name) as hang, count(crash_process_name) as crash by site 
| eval sante=if((hang&gt;$hangmin$) AND (crash&gt;$crashmin$), "Etat de santé dégradé","Etat de santé acceptable")  
| eval severity=if(sante="Etat de santé dégradé",1,0) 
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">50</option>
      </single>
    </panel>
  </row>
</form>

jip31 · ‎01-26-2022

something is not working

for example, if I modify the condition for the last 7 days

  <condition label="Last 7 days">
          <set token="hangmin">50</set>
          <set token="crashmin">4</set>

a site is considered as "Etat de santé dégradé" instead of "Etat de santé acceptable" because his results are under the threshold of hangmin and crashmin....

I dont understand what is wrong...

ITWhisperer · ‎01-26-2022

How have you selected Last 7 days?

jip31 · ‎01-26-2022

yes...

ITWhisperer · ‎01-26-2022

As I said earlier, this doesn't work, you need to use relative, not the preset

jip31 · ‎01-26-2022

Yes I done it too

And no matter the hangmin and the crashmin I define the sante is always "Etat de santé dégradé" for this specific site...

jip31 · ‎01-26-2022

here is

<form>
  <label>SANTE</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>sss</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition label="Last 30 days">
          <set token="hangmin">200</set>
          <set token="crashmin">200</set>
        </condition>
        <condition label="Last 7 days">
          <set token="hangmin">100</set>
          <set token="crashmin">100</set>
        </condition>
        <condition>
          <!-- Default values for these tokens -->
          <set token="hangmin">1</set>
          <set token="crashmin">1</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXX</title>
      <table>
        <search>
          <query>index=tutu sourcetype=toto
| stats count(hang_process_name) as hang, count(crash_process_name) as crash by site 
| eval sante=if((hang&gt;$hangmin$) AND (crash&gt;$crashmin$), "Etat de santé dégradé","Etat de santé acceptable") 
| eval severity=if(sante="Etat de santé dégradé",1,0) 
| rangemap field=severity low=0-0 default=severe 
| table site sante hang crash</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

ITWhisperer · ‎01-26-2022

Can you share your current SimpleXML?

jip31 · ‎01-26-2022

<form>
  <label>SANTE</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>sss</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition label="Last 30 days">
          <set token="hangmin">200</set>
          <set token="crashmin">200</set>
        </condition>
        <condition label="Last 7 days">
          <set token="hangmin">100</set>
          <set token="crashmin">100</set>
        </condition>
        <condition>
          <!-- Default values for these tokens -->
          <set token="hangmin">1</set>
          <set token="crashmin">1</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>XXX</title>
      <table>
        <search>
          <query>index=toto 
| fields hang_process_name crash_process_name site 
| stats count(hang_process_name) as hang, count(crash_process_name) as crash by site 
| eval sante=if((hang&gt;$hangmin$) AND (crash&gt;$crashmin$), "Etat de santé dégradé","Etat de santé acceptable") 
| eval severity=if(sante="Etat de santé dégradé",1,0) 
| rangemap field=severity low=0-0 default=severe 
| table site sante hang crash</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

ITWhisperer · ‎01-26-2022

Try changing the label of the timepicker to show what the values of the token are

<label>$hangmin$ $crashmin$</label>

jip31 · ‎01-26-2022

I know what the value are because I have added

| table site sante hang crash

so I can see the input time token is not working correctly

ITWhisperer · ‎01-26-2022

This doesn't tell you the value of the tokens being used in your if statement - you need to debug the timepicker change handler to determine which values are being set in the tokens - I think there is a token debugger app in splunkbase that you could try if simply displaying them in labels doesn't work for you

jip31 · ‎01-26-2022

I have found

Its due to the language...

If I replace "Last 7 days" by "Dernière 7 jours" it works

But it doesnt works for 30 j!

I dont understand

ITWhisperer · ‎01-26-2022

Change the title to investigate the value of the label

      <label>$pickerlabel$</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <condition label="Last 30 days">
          <eval token="pickerlabel">label</eval>
          <set token="hangmin">200</set>
          <set token="crashmin">200</set>
        </condition>
        <condition label="Last 7 days">
          <eval token="pickerlabel">label</eval>
          <set token="hangmin">100</set>
          <set token="crashmin">100</set>
        </condition>
        <condition>
          <!-- Default values for these tokens -->
          <eval token="pickerlabel">label</eval>
          <set token="hangmin">1</set>
          <set token="crashmin">1</set>
        </condition>
      </change>

jip31 · ‎01-25-2022

Is anybody can help please?

help on eval command linked to a time input token

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor