Splunk Search

Eval If statement with searches as arguments

nisha_kapoor
Path Finder

I am using the eval as follows:

eval result= if(var1=="All", [search1], [search2])

where search1 and search2 both return tables. According the whether the if condition is satisfied or not I display either one of the tables. The error which I am getting when I execute the above query is:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ').

Tags (1)
1 Solution

niketn
Legend

@nisha_kapoor, you can code the change event of the dropdown and pass on the Search query as token (queryString in the following example) based on selected value in the dropdown.

Following is a run anywhere example:

<row>
   <panel>
      <input type="dropdown" token="var1" searchWhenChanged="true">
          <label>Select Value</label>
          <choice value="All">All</choice>
          <choice value="Other">Other</choice>
             <change>
                <condition value="All">
                    <set token="queryString">index=_internal sourcetype=splunkd log_level!="INFO" | stats count by log_level</set>
                </condition>
                <condition>
                    <set token="queryString">| makeresults | eval msg="$value$ value selected"</set>
                </condition>
             </change>
             <default>All</default>
          </input>
          <table>
               <search>
                   <query>$queryString$</query>
                   <earliest>-24h@h</earliest>
                   <latest>now</latest>
               </search>
                <option name="count">5</option>
                <option name="wrap">true</option>
                <option name="drilldown">none</option>
                <option name="dataOverlayMode">none</option>
          </table>
   </panel>
</row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@nisha_kapoor, you can code the change event of the dropdown and pass on the Search query as token (queryString in the following example) based on selected value in the dropdown.

Following is a run anywhere example:

<row>
   <panel>
      <input type="dropdown" token="var1" searchWhenChanged="true">
          <label>Select Value</label>
          <choice value="All">All</choice>
          <choice value="Other">Other</choice>
             <change>
                <condition value="All">
                    <set token="queryString">index=_internal sourcetype=splunkd log_level!="INFO" | stats count by log_level</set>
                </condition>
                <condition>
                    <set token="queryString">| makeresults | eval msg="$value$ value selected"</set>
                </condition>
             </change>
             <default>All</default>
          </input>
          <table>
               <search>
                   <query>$queryString$</query>
                   <earliest>-24h@h</earliest>
                   <latest>now</latest>
               </search>
                <option name="count">5</option>
                <option name="wrap">true</option>
                <option name="drilldown">none</option>
                <option name="dataOverlayMode">none</option>
          </table>
   </panel>
</row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nisha_kapoor
Path Finder

This seems to work perfectly, thank you!

0 Karma

nisha_kapoor
Path Finder

This seems to achieve what I was looking for, but there is one glitch. When I select a new option, the results don't load until I manually refresh my browser. Is there some way around this, since I don't want my users to have to refresh the browser each time they select a different option.

0 Karma

niketn
Legend

Can you ensure that searchWhenChanged is set to true for the drop down?

   <input type="dropdown" token="var1" searchWhenChanged="true">
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nisha_kapoor
Path Finder

Yeah my searchWhenChanged option is set to true, however the queryString doesn't get updated. It uses the previously stored value when it is passed to the search panel.

0 Karma

niketn
Legend

Which version of Splunk are you on. Is Autorun dashboard enabled?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nisha_kapoor
Path Finder

Hi I am on Splunk Enterprise and my Autorun dashboard is on. The search refreshes when a new option is selected from the dropdown, the only problem is that querystring retains the previous dropdown value.

So suppose I open my search and the default value of the dropdown is "a". I select value as "b" and click submit(autorun and search on change are also on), the querystring still searches with "a" instead of "b" until I refresh the browser or change my selection again.

0 Karma

woodcock
Esteemed Legend

Like this:

 [ Some Search Here | head 1 | eval search=if(var1=="All", "search language for search1", "search language for search2") | table search ]

nisha_kapoor
Path Finder

I tried this and now this is the error I am getting

Error in 'eval' command: The expression is malformed. Expected ).

0 Karma

woodcock
Esteemed Legend

Try this:

[ index="test_data" 
| head 1
| eval search=if((var1!= "All"), "index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" col1=\"*\" | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time" , "index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time") | table search ]
0 Karma

nisha_kapoor
Path Finder

This doesn't seem to be working. I want that if I put a value instead of *, the results should be filtered based on that criteria. However, the above command simply seems to be getting me all the results stored in "test_data" and returning the top one.

This is another way I tried,

index="test_data" extracted_Source="$field4$" Target="$field5$"
Status="$field7$" Name="$field8$" ($field1$ != "All" AND $field1$="$field2$") OR ($field1$==All AND TransactionID ="*") | table TransactionID Name extracted_Source Target Status Details CreatedAt

The first part of this works fine as in the filter criteria (field1=field2) gets appended to the initial search when $field1$!= All. However, the second condition($field1$==All) is never satisfied.

Can someone help me on how to compare the value of a field to a string and return true?

0 Karma

woodcock
Esteemed Legend

I am tapping out. I have not understood much of this conversation and am as lost as ever.

0 Karma

nisha_kapoor
Path Finder

This is what I tried originally, but it gives me this error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , ( ( row1 of search) OR (row2 of search) OR (row 3 of search) ) ) )'.

0 Karma

woodcock
Esteemed Legend

If your search strings include double-quote characters ", you will have to escape each one with a backslash .

0 Karma

nisha_kapoor
Path Finder

Oh okay, I did that too and the error has disappeared, but now instead of the data, the search string is repeated over and over again in the result table.

This is the query with the modifications:

index="test_data"| eval search= if(var1!= "All" , "search index=\"test_data\" extracted_Source=\"*\" Target=\"*\" 
Status=\"*\" Name=\"*\" col1=\"*\"  | table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time" ,
"search index=\"test_data\" extracted_Source=\"*\" Target=\"*\" Status=\"*\" Name=\"*\" 
| table Name extracted_Source Target Status Details CreatedAt | sort -CreatedAt Time")| table search
0 Karma

DalJeanis
Legend

@woodcock - Cool! Context, please? Like, exactly what has to be in place for this elegant little strategy to work?

This is going to return a variable named search with a value like search language for search1, so it seems like it will work when it is the entire search. Any other places it will work?

0 Karma

woodcock
Esteemed Legend

This is just the subsearch side of your map coin. Almost anything that you can do with map, templating wise, you can also do with a subsearch by turning the design "inside-out".

0 Karma

DalJeanis
Legend

An eval doesn't work that way. result is a variable, and table variables don't exist in splunk, as far as I know.

You can achieve the same thing, though, with map.

| eval result= if(var1=="All", "search language for search1", "search language for search2")
| map search="$result$"

niketn
Legend

@nisha_kapoor, how is var1=="All" or var1!="All" set. Is this coming from an input or existing search. Please provide a background of your use case, as there could be multiple solutions to this problem.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nisha_kapoor
Path Finder

var1 is coming from a form input (dropdown). If that value is equal to "All" a run a certain search on my index and display the table else I run a different search and display that table. The issue I am facing is that I think only numbers/strings and not tables can be returned as arguments to an eval statement.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...