Splunk Search

Dropdown list: How to update search events with an eval case command?

jip31
Motivator

hello

From the dropdown list below, I need to update search events with an eval case command

 

 

    <input type="dropdown" token="debit" searchWhenChanged="true">
      <label>Débit</label>
      <choice value="2 Mb/s">2 Mb/s</choice>
      <choice value="4 Mb/s">4 Mb/s</choice>
    </input>

 

 

 

 So I try something like this but it doesnt works

 

 

 

| eval debit="$debit$"
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
| table site deb

 

 

 

could you help please?

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I think I understand what the goal is and there's a better way to do it.  When the user selects the Debit value, the dashboard should set a new token with the expected site values.  Then reference that token in the search.  See the new example dashboard below.

<form version="1.1">
  <label>Test</label>
  <description>Answers support</description>
  <fieldset submitButton="false">
    <input type="dropdown" token="debit" searchWhenChanged="true">
      <label>Débit</label>
      <choice value="2 Mb/s">2 Mb/s</choice>
      <choice value="4 Mb/s">4 Mb/s</choice>
      <change>
        <condition label="2 Mb/s">
          <set token="site_tok">site=="TOTO" OR site=="TITI"</set>
        </condition>
        <condition label="4 Mb/s">
          <set token="site_tok">site=="TUTU" OR site=="TATA"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval site="TATA", debit=$debit|s$
| where $site_tok$
| table site debit</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please give us more information.  What problem are you trying to solve?  What exactly does "it doesn't work" mean?  What error do you get?  What results did you expect compared to those you received?

 

---
If this reply helps you, Karma would be appreciated.

jip31
Motivator

When I choose an item in the dropdown list I need to filter events in my search

In the example, I just try to display the field related to the item choice

It means that if i select 2 Mb/s, in need to display the site "toto" OR hte site 'TITI" in my table panel

I have any error just no results even if my token value is well captured with 

| eval debit='$debit$'
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here is the code I used to try to recreate this problem.

<form version="1.1">
  <label>Test</label>
  <description>Answers support</description>
  <fieldset submitButton="false">
    <input type="dropdown" token="debit" searchWhenChanged="true">
      <label>Débit</label>
      <choice value="2 Mb/s">2 Mb/s</choice>
      <choice value="4 Mb/s">4 Mb/s</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 10
| eval debit="$debit$"
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)
| table site deb debit</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

and here are my results:

richgalloway_0-1652275608311.png

As you can see, the site field is null because no code populated it.  We have to tell Splunk which value to assign to the site field - it can be either "TOTO" or "TITI", but it must be deterministic.  How should Splunk decide which value to use?

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

not sure to well understand or pearhaps my example is bad

| eval debit="$debit$"
| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)

 what I exactly need is that when I am select "2 Mb/s" in the dropdown list, I retrieve th selected item in my search (this works) but I also need to retrieve the site mentionned in the eval

So why when I am doing this, I am unable to display only the site = "BESANC"?

Other question, instead "site" ate the end of the eval, I would like to display nothing

So I put "" but Splunk tells m that my eval is malformed

How to do please?

| eval deb=case(debit=='4 Mb/s', site=="BESANC", 1==1, site) 
| table debit deb site

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

These statements

| eval deb=case(debit=='4 Mb/s', site=="BESANC", 1==1, site) 

AND

| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)

 are rather odd - the case statement is used to perform the task

variable = case(condition 1, result 1, condition 2, result 2, ...)

You are saying if the field called 'debit' is "2 Mb/s" then you want the field deb to have the value represented by the statement

site=="BESANC"

which is a BOOLEAN evaluation and will result in the value 'True' or 'False', so deb will have a value of True if site is BESANC in this case. 

Is that what you are trying to do?

what do you mean by "I also need to retrieve the site mentionned in the eval"?

 

0 Karma

jip31
Motivator

sorry for my misunderstanding on eval case

no I dont want to return a boolean value

"site" field is a field of my index

what I need is to match site "field" with the choice done in tre dropdown list

For example, if the choice is debit=2 Mb/s then the eval command has to match with site A, B and C

if the choice is debit=4 Mb/s then the eval command has to match with site D, E and F

So pearhaps eval case is not the good way?

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The eval command assigns values to fields.  It does not match data in events.  To match events, use the search or where command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

OK

whatever, I found why I was unable to display the site field

It was because the site was surronded by single quote instead double quote

 eval site=case(debit=="4 Mb/s", "BESANC", debit=="2 Mb/s", "PIBR", 1==1, "") 
| table site debit

Now it works perfecly

The site displayed in my table correspond well to the dropdwon list choice

Now it misses me just one thing

For a same debit, I need to match different site

So I need something like this

 eval site=case(debit=="4 Mb/s", ("BESANC" OR "TUTU"), debit=="2 Mb/s", ("PIBR" OR "TITI"), 1==1, ""))
| table site debit

Is it possible?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think I understand what the goal is and there's a better way to do it.  When the user selects the Debit value, the dashboard should set a new token with the expected site values.  Then reference that token in the search.  See the new example dashboard below.

<form version="1.1">
  <label>Test</label>
  <description>Answers support</description>
  <fieldset submitButton="false">
    <input type="dropdown" token="debit" searchWhenChanged="true">
      <label>Débit</label>
      <choice value="2 Mb/s">2 Mb/s</choice>
      <choice value="4 Mb/s">4 Mb/s</choice>
      <change>
        <condition label="2 Mb/s">
          <set token="site_tok">site=="TOTO" OR site=="TITI"</set>
        </condition>
        <condition label="4 Mb/s">
          <set token="site_tok">site=="TUTU" OR site=="TATA"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval site="TATA", debit=$debit|s$
| where $site_tok$
| table site debit</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

many thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I agree we are not understanding each other, but am not sure how to clarify the matter.

If you want to assign a value to the field 'site' then 'site' must be on the left-hand-side of the = in the eval statement.

| eval site=case(debit=='4 Mb/s', "BESANC", 1==1, "")

With the case function, the first argument is tested.  If the test passes then the second argument is evaluated and the result assigned to the specified field.  If the test fails then the third argument is tested and fourth argument evaluated.  This continues with each pair of arguments until one of the odd-numbered arguments is true.  If no odd-numbered argument is true then the result of the case function is null.

The == operator tests equality; the = operator is for assignment or equality, depending on the context.

In the line

| eval deb=case(debit=="2 Mb/s", site=="TOTO" OR site=="TITI", debit=="4 Mb/s", site=="TUTU" OR site=="TATA", 1==1,site)

The second and fourth arguments evaluate to either 'true' or 'false' and one of those values is assigned to field 'deb'.  The default case assigns the value of field 'site', which probably is null, to the field 'deb'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

thanks it's more clear now

but I always face an issue

when I run this 

| eval site=case(debit=='4 Mb/s', "BESANC", 1==1, "")
| table debit site

 Except if I am mistaken, when I chose "4 Mb/s" in the dropdown list, it maches the site "BESANC"?

So why in the table result, I display the debit but not the site?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...