Solved: Eval If statement with searches as arguments

nisha_kapoor · ‎07-05-2017

I am using the eval as follows:

eval result= if(var1=="All", [search1], [search2])

where search1 and search2 both return tables. According the whether the if condition is satisfied or not I display either one of the tables. The error which I am getting when I execute the above query is:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ').

niketn · ‎07-06-2017

@nisha_kapoor, you can code the change event of the dropdown and pass on the Search query as token (queryString in the following example) based on selected value in the dropdown.

Following is a run anywhere example:

<row>
   <panel>
      <input type="dropdown" token="var1" searchWhenChanged="true">
          <label>Select Value</label>
          <choice value="All">All</choice>
          <choice value="Other">Other</choice>
             <change>
                <condition value="All">
                    <set token="queryString">index=_internal sourcetype=splunkd log_level!="INFO" | stats count by log_level</set>
                </condition>
                <condition>
                    <set token="queryString">| makeresults | eval msg="$value$ value selected"</set>
                </condition>
             </change>
             <default>All</default>
          </input>
          <table>
               <search>
                   <query>$queryString$</query>
                   <earliest>-24h@h</earliest>
                   <latest>now</latest>
               </search>
                <option name="count">5</option>
                <option name="wrap">true</option>
                <option name="drilldown">none</option>
                <option name="dataOverlayMode">none</option>
          </table>
   </panel>
</row>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎07-06-2017

@nisha_kapoor, you can code the change event of the dropdown and pass on the Search query as token (queryString in the following example) based on selected value in the dropdown.

Following is a run anywhere example:

<row>
   <panel>
      <input type="dropdown" token="var1" searchWhenChanged="true">
          <label>Select Value</label>
          <choice value="All">All</choice>
          <choice value="Other">Other</choice>
             <change>
                <condition value="All">
                    <set token="queryString">index=_internal sourcetype=splunkd log_level!="INFO" | stats count by log_level</set>
                </condition>
                <condition>
                    <set token="queryString">| makeresults | eval msg="$value$ value selected"</set>
                </condition>
             </change>
             <default>All</default>
          </input>
          <table>
               <search>
                   <query>$queryString$</query>
                   <earliest>-24h@h</earliest>
                   <latest>now</latest>
               </search>
                <option name="count">5</option>
                <option name="wrap">true</option>
                <option name="drilldown">none</option>
                <option name="dataOverlayMode">none</option>
          </table>
   </panel>
</row>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nisha_kapoor · ‎07-07-2017

This seems to work perfectly, thank you!

nisha_kapoor · ‎07-07-2017

This seems to achieve what I was looking for, but there is one glitch. When I select a new option, the results don't load until I manually refresh my browser. Is there some way around this, since I don't want my users to have to refresh the browser each time they select a different option.

niketn · ‎07-07-2017

Can you ensure that searchWhenChanged is set to true for the drop down?

   <input type="dropdown" token="var1" searchWhenChanged="true">

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nisha_kapoor · ‎07-07-2017

Yeah my searchWhenChanged option is set to true, however the queryString doesn't get updated. It uses the previously stored value when it is passed to the search panel.

niketn · ‎07-07-2017

Which version of Splunk are you on. Is Autorun dashboard enabled?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nisha_kapoor · ‎07-08-2017

Hi I am on Splunk Enterprise and my Autorun dashboard is on. The search refreshes when a new option is selected from the dropdown, the only problem is that querystring retains the previous dropdown value.

So suppose I open my search and the default value of the dropdown is "a". I select value as "b" and click submit(autorun and search on change are also on), the querystring still searches with "a" instead of "b" until I refresh the browser or change my selection again.

woodcock · ‎07-06-2017

Like this:

 [ Some Search Here | head 1 | eval search=if(var1=="All", "search language for search1", "search language for search2") | table search ]

nisha_kapoor · ‎07-06-2017

I tried this and now this is the error I am getting

Error in 'eval' command: The expression is malformed. Expected ).

woodcock · ‎07-07-2017

Try this:

[ index="test_data" 
| head 1
| eval search=if((var1!= "All"), "index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" col1=\"*\" | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time" , "index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time") | table search ]

nisha_kapoor · ‎07-07-2017

This doesn't seem to be working. I want that if I put a value instead of *, the results should be filtered based on that criteria. However, the above command simply seems to be getting me all the results stored in "test_data" and returning the top one.

This is another way I tried,

index="test_data" extracted_Source="$field4$" Target="$field5$"
Status="$field7$" Name="$field8$" ($field1$ != "All" AND $field1$="$field2$") OR ($field1$==All AND TransactionID ="*") | table TransactionID Name extracted_Source Target Status Details CreatedAt

The first part of this works fine as in the filter criteria (field1=field2) gets appended to the initial search when $field1$!= All. However, the second condition($field1$==All) is never satisfied.

Can someone help me on how to compare the value of a field to a string and return true?

woodcock · ‎07-08-2017

I am tapping out. I have not understood much of this conversation and am as lost as ever.

nisha_kapoor · ‎07-06-2017

This is what I tried originally, but it gives me this error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , ( ( row1 of search) OR (row2 of search) OR (row 3 of search) ) ) )'.

woodcock · ‎07-06-2017

If your search strings include double-quote characters ", you will have to escape each one with a backslash .

nisha_kapoor · ‎07-06-2017

Oh okay, I did that too and the error has disappeared, but now instead of the data, the search string is repeated over and over again in the result table.

This is the query with the modifications:

index="test_data"| eval search= if(var1!= "All" , "search index=\"test_data\" extracted_Source=\"*\" Target=\"*\" 
Status=\"*\" Name=\"*\" col1=\"*\"  | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time" ,
"search index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" 
| table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time")| table search

DalJeanis · ‎07-06-2017

@woodcock - Cool! Context, please? Like, exactly what has to be in place for this elegant little strategy to work?

This is going to return a variable named search with a value like search language for search1, so it seems like it will work when it is the entire search. Any other places it will work?

woodcock · ‎07-06-2017

This is just the subsearch side of your map coin. Almost anything that you can do with map, templating wise, you can also do with a subsearch by turning the design "inside-out".

DalJeanis · ‎07-06-2017

An eval doesn't work that way. result is a variable, and table variables don't exist in splunk, as far as I know.

You can achieve the same thing, though, with map.

| eval result= if(var1=="All", "search language for search1", "search language for search2")
| map search="$result$"

niketn · ‎07-06-2017

@nisha_kapoor, how is var1=="All" or var1!="All" set. Is this coming from an input or existing search. Please provide a background of your use case, as there could be multiple solutions to this problem.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nisha_kapoor · ‎07-06-2017

var1 is coming from a form input (dropdown). If that value is equal to "All" a run a certain search on my index and display the table else I run a different search and display that table. The issue I am facing is that I think only numbers/strings and not tables can be returned as arguments to an eval statement.

Eval If statement with searches as arguments

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...