hello
From the dropdown list below, I need to update search events with an eval case command
<input type="dropdown" token="debit" searchWhenChanged="true">
<label>Débit</label>
<choice value="2 Mb/s">2 Mb/s</choice>
<choice value="4 Mb/s">4 Mb/s</choice>
</input>
So I try something like this but it doesnt works
| eval debit="$debit$"
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
| table site deb
could you help please?
I think I understand what the goal is and there's a better way to do it. When the user selects the Debit value, the dashboard should set a new token with the expected site values. Then reference that token in the search. See the new example dashboard below.
<form version="1.1">
<label>Test</label>
<description>Answers support</description>
<fieldset submitButton="false">
<input type="dropdown" token="debit" searchWhenChanged="true">
<label>Débit</label>
<choice value="2 Mb/s">2 Mb/s</choice>
<choice value="4 Mb/s">4 Mb/s</choice>
<change>
<condition label="2 Mb/s">
<set token="site_tok">site=="TOTO" OR site=="TITI"</set>
</condition>
<condition label="4 Mb/s">
<set token="site_tok">site=="TUTU" OR site=="TATA"</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval site="TATA", debit=$debit|s$
| where $site_tok$
| table site debit</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Please give us more information. What problem are you trying to solve? What exactly does "it doesn't work" mean? What error do you get? What results did you expect compared to those you received?
When I choose an item in the dropdown list I need to filter events in my search
In the example, I just try to display the field related to the item choice
It means that if i select 2 Mb/s, in need to display the site "toto" OR hte site 'TITI" in my table panel
I have any error just no results even if my token value is well captured with
| eval debit='$debit$'
Here is the code I used to try to recreate this problem.
<form version="1.1">
<label>Test</label>
<description>Answers support</description>
<fieldset submitButton="false">
<input type="dropdown" token="debit" searchWhenChanged="true">
<label>Débit</label>
<choice value="2 Mb/s">2 Mb/s</choice>
<choice value="4 Mb/s">4 Mb/s</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults 10
| eval debit="$debit$"
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
| table site deb debit</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
and here are my results:
As you can see, the site field is null because no code populated it. We have to tell Splunk which value to assign to the site field - it can be either "TOTO" or "TITI", but it must be deterministic. How should Splunk decide which value to use?
not sure to well understand or pearhaps my example is bad
| eval debit="$debit$"
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
what I exactly need is that when I am select "2 Mb/s" in the dropdown list, I retrieve th selected item in my search (this works) but I also need to retrieve the site mentionned in the eval
So why when I am doing this, I am unable to display only the site = "BESANC"?
Other question, instead "site" ate the end of the eval, I would like to display nothing
So I put "" but Splunk tells m that my eval is malformed
How to do please?
| eval deb=case(debit=='4 Mb/s', site=="BESANC", 1==1, site)
| table debit deb site
These statements
| eval deb=case(debit=='4 Mb/s', site=="BESANC", 1==1, site)
AND
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
are rather odd - the case statement is used to perform the task
variable = case(condition 1, result 1, condition 2, result 2, ...)
You are saying if the field called 'debit' is "2 Mb/s" then you want the field deb to have the value represented by the statement
site=="BESANC"
which is a BOOLEAN evaluation and will result in the value 'True' or 'False', so deb will have a value of True if site is BESANC in this case.
Is that what you are trying to do?
what do you mean by "I also need to retrieve the site mentionned in the eval"?
sorry for my misunderstanding on eval case
no I dont want to return a boolean value
"site" field is a field of my index
what I need is to match site "field" with the choice done in tre dropdown list
For example, if the choice is debit=2 Mb/s then the eval command has to match with site A, B and C
if the choice is debit=4 Mb/s then the eval command has to match with site D, E and F
So pearhaps eval case is not the good way?
The eval command assigns values to fields. It does not match data in events. To match events, use the search or where command.
OK
whatever, I found why I was unable to display the site field
It was because the site was surronded by single quote instead double quote
eval site=case(debit=="4 Mb/s", "BESANC", debit=="2 Mb/s", "PIBR", 1==1, "")
| table site debit
Now it works perfecly
The site displayed in my table correspond well to the dropdwon list choice
Now it misses me just one thing
For a same debit, I need to match different site
So I need something like this
eval site=case(debit=="4 Mb/s", ("BESANC" OR "TUTU"), debit=="2 Mb/s", ("PIBR" OR "TITI"), 1==1, ""))
| table site debit
Is it possible?
I think I understand what the goal is and there's a better way to do it. When the user selects the Debit value, the dashboard should set a new token with the expected site values. Then reference that token in the search. See the new example dashboard below.
<form version="1.1">
<label>Test</label>
<description>Answers support</description>
<fieldset submitButton="false">
<input type="dropdown" token="debit" searchWhenChanged="true">
<label>Débit</label>
<choice value="2 Mb/s">2 Mb/s</choice>
<choice value="4 Mb/s">4 Mb/s</choice>
<change>
<condition label="2 Mb/s">
<set token="site_tok">site=="TOTO" OR site=="TITI"</set>
</condition>
<condition label="4 Mb/s">
<set token="site_tok">site=="TUTU" OR site=="TATA"</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval site="TATA", debit=$debit|s$
| where $site_tok$
| table site debit</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
many thanks
I agree we are not understanding each other, but am not sure how to clarify the matter.
If you want to assign a value to the field 'site' then 'site' must be on the left-hand-side of the = in the eval statement.
| eval site=case(debit=='4 Mb/s', "BESANC", 1==1, "")
With the case function, the first argument is tested. If the test passes then the second argument is evaluated and the result assigned to the specified field. If the test fails then the third argument is tested and fourth argument evaluated. This continues with each pair of arguments until one of the odd-numbered arguments is true. If no odd-numbered argument is true then the result of the case function is null.
The == operator tests equality; the = operator is for assignment or equality, depending on the context.
In the line
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
The second and fourth arguments evaluate to either 'true' or 'false' and one of those values is assigned to field 'deb'. The default case assigns the value of field 'site', which probably is null, to the field 'deb'.
thanks it's more clear now
but I always face an issue
when I run this
| eval site=case(debit=='4 Mb/s', "BESANC", 1==1, "")
| table debit site
Except if I am mistaken, when I chose "4 Mb/s" in the dropdown list, it maches the site "BESANC"?
So why in the table result, I display the debit but not the site?