Splunk Search

Eval Token expression - How to set a token with eval?

xbbj4qr
New Member

Eval Token expression - How to set a token with eval?

I'm trying to set a token with eval.

$row.ReportName$ is multivalued column. Trying to split it and set as a new token. Eval Token expression - token set is not happening.

<drilldown> 
<condition field="xxx" match=" $click.name2$ == xxx">           
    <set token="rpt_nm_tok">$row.ReportName$</set>  
    <eval token="new_token">mvindex(split($row.ReportName$, ","), 0)</eval>
</condition>
</drilldown>

I haven't been able to find a working example in the docs or from Answers. Any help would be much appreciated

0 Karma

woodcock
Esteemed Legend

OK, now that you have shown us your entire dashbaord, it is solvable (it was actually FAR trickier than I thought that it would be); try this (TAKE NOTE of the search optimizations, too):

<form>
  <init>
    <unset token="mvfind_token="></unset>
    <unset token="new_token="></unset>
  </init>
  <label></label>
  <fieldset submitButton="false">
    <input type="text" token="rpt_nm" searchWhenChanged="true">
      <label>Report</label>
      <default>*</default>
      <change>
        <unset token="type1_tok"></unset>
      </change>
    </input>
    <input type="text" token="rsp_tm" searchWhenChanged="true">
      <label>Slower than (Milliseconds)</label>
      <default>0</default>
      <change>
        <condition match="isnum($value$)">
          <eval token="new_token1">round($value$)</eval>
          <unset token="type1_tok"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sample Report: debug=$debug$</title>
      <table>
        <search>
          <query>| windbag
| eval sourcetype="manual_upload2"
| rename lang AS rpt_nm
| eval rsp_tm = position * 1000
| rename host AS usr

| rename COMMENT AS "Everything above generates sample event data; everything below is optimized (it was a disaster before)."

| stats count
   count(rsp_tm<=30000)                   AS cntLESS30SEC
   count(rsp_tm>30000 AND rsp_tm<=60000)  AS cntBET3060SEC
   count(rsp_tm>60000 AND rsp_tm<=300000) AS cntBET60300SEC
   count(rsp_tm>300000)                   AS cntGRT300S BY rpt_nm, usr

| rename COMMENT AS "REMOVE THESE 3 LINES!"
| streamstats count AS _serial
| foreach c*nt* [ eval "<<FIELD>>" = _serial, _serial = _serial + 1000 ]

| stats list(rpt_nm)         AS "ReportName"
        list(count)          AS "Count by Report"
        list(cntLESS30SEC)   AS "<30s"
        list(cntBET3060SEC)  AS "30s-60s"
        list(cntBET60300SEC) AS "60s-300s"
        list(cntGRT300S)     AS ">300s" BY usr
| rename usr AS "User"</query>
          <earliest>-5m</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <!--condition match="1==1">
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$</set>
          </condition-->
          <condition match="$click.name2$==&quot;User&quot;"></condition>
          <condition match="$click.name2$==&quot;ReportName&quot;">
            <set token="new_token">$click.value2$</set>
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$</set>
          </condition>
          <condition match="$click.name2$==&quot;Count by Report&quot;">
            <set token="name2">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="mvfind_token">mvfind($row.Count by Report$, "^" . $click.value2$ . "$$")</eval>
            <eval token="new_token">mvindex($row.ReportName$, $mvfind_token$)</eval>
            <set token="type1_tok">(rsp_tm<30000)</set>
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$</set>
          </condition>
          <condition match="$click.name2$==&quot;<30s&quot;">
            <set token="name2">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="mvfind_token">mvfind($row.<30s$, "^" . $click.value2$ . "$$")</eval>
            <eval token="new_token">mvindex($row.ReportName$, $mvfind_token$)</eval>
            <set token="type1_tok">(rsp_tm<30000)</set>
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$</set>
          </condition>
          <condition match="$click.name2$==&quot;30s-60s&quot;">
            <set token="name2">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="mvfind_token">mvfind($row.30s-60s$, "^" . $click.value2$ . "$$")</eval>
            <eval token="new_token">mvindex($row.ReportName$, $mvfind_token$)</eval>
            <set token="type1_tok">(rsp_tm>30000 AND rsp_tm<=60000)</set>
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$</set>
         </condition>
          <condition match="$click.name2$==&quot;60s-300s&quot;">
            <set token="name2">$click.name2$</set>
            <set token="y_axis_tok">$click.value$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <eval token="mvfind_token">mvfind($row.60s-300s$, "^" . $click.value2$ . "$$")</eval>
            <eval token="new_token">mvindex($row.ReportName$, $mvfind_token$)</eval>
            <set token="type1_tok">(rsp_tm>60000 AND rsp_tm<=300000)</set>
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$</set>
          </condition>
          <condition match="$click.name2$==&quot;>300s&quot;">
            <set token="name2">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="mvfind_token">mvfind($row.>300s$, "^" . $click.value2$ . "$$")</eval>
            <eval token="new_token">mvindex($row.ReportName$, $mvfind_token$)</eval>
            <set token="type1_tok">(rsp_tm>300000)</set>
            <set token="debug">name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$type1_tok$">
    <panel>
      <title>type1_tok=$type1_tok$ Report: $rpt_nm_tok$ - Y Axis: $y_axis_tok$ - $new_token$</title>
      <event>
        <title>new_token=$new_token$</title>
        <search>
          <query>| windbag | head 5</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>
0 Karma

woodcock
Esteemed Legend

Although this "works", it will fail if ever any number in any column is repeated and you click any other than the first instance of the repeated number.

0 Karma

jelatta
New Member
 <eval token="new_token">mvindex(split(tostring($row.ReportName$), ","), 0)</eval>
0 Karma

paramagurukarth
Builder

Below works for me,

<eval token="token_name">round('result.field_name',2)</eval>

Note:
The field name should be inside quotes and not in-between $s.

0 Karma

xbbj4qr
New Member

Here is my full XML. Kindly review and help!

<form>
  <label></label>
  <fieldset submitButton="false">    
    <input type="text" token="rpt_nm" searchWhenChanged="true">
      <label>Report</label>
      <default>*</default>
      <change>        
        <unset token="type1_tok"></unset>
      </change>
    </input>
    <input type="text" token="rsp_tm" searchWhenChanged="true">
      <label>Slower than (Milliseconds)</label>
      <default>0</default>
        <change>
          <condition match="isnum($value$)">
            <eval token="new_token1">round($value$)</eval>          
            <unset token="type1_tok"></unset>
          </condition>

       </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sample Report</title>
      <table>     
        <search>
          <query>index=testing2 sourcetype=manual_upload2 rpt_nm="$rpt_nm$" rsp_tm&gt;=$rsp_tm$ | eval LESS30SEC=if(rsp_tm&lt;=30000,1,0) | eval BET3060SEC=if(rsp_tm&gt;30000 AND rsp_tm&lt;=60000,1,0) | eval BET60300SEC=if(rsp_tm&gt;60000 AND rsp_tm&lt;=300000,1,0) | eval GRT300S=if(rsp_tm&gt;300000,1,0) | stats count, sum(LESS30SEC) as cntLESS30SEC, sum(BET3060SEC) as cntBET3060SEC, sum(BET60300SEC) as cntBET60300SEC, sum(GRT300S) as cntGRT300S, count by rpt_nm, usr | stats list(rpt_nm) as "ReportName", list(count) as "Count by Report", list(cntLESS30SEC) as "&lt;30s", list(cntBET3060SEC) as "30s-60s", list(cntBET60300SEC) as "60s-300s", list(cntGRT300S) as "&gt;300s" by usr | rename usr as "User", rpt_nm as "ReportName"
          </query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <drilldown>       
          <condition field="User"></condition>
          <condition field="ReportName"></condition>
          <condition field="Count by Report"></condition>
          <condition field="&lt;30s" match=" $click.name2$ == &lt;30s">
            <set token="test">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="new_token">mvindex($row.ReportName$,0)</eval>
            <set token="type1_tok">rsp_tm&lt;30000</set>                    
          </condition>
          <condition field="30s-60s" match=" $click.name2$ == 30s-60s">
            <set token="test">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="new_token">mvindex($row.ReportName$,0)</eval>
            <set token="type1_tok">rsp_tm&gt;30000 rsp_tm&lt;=60000</set>               
          </condition>  
          <condition field="60s-300s">          
            <set token="test">$click.name2$</set>
            <set token="y_axis_tok">$click.value$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <eval token="new_token">mvindex($row.ReportName$,0)</eval>          
            <set token="type1_tok">rsp_tm&gt;60000 rsp_tm&lt;=300000</set>          
          </condition>
          <condition field="&gt;300s"  match=" $click.name2$ == &gt;300s">
            <set token="test">$click.name2$</set>
            <set token="rpt_nm_tok">$row.ReportName$</set>
            <set token="y_axis_tok">$click.value$</set>
            <eval token="new_token">mvindex($row.ReportName$,0)</eval>
            <set token="type1_tok">rsp_tm&gt;300000</set>                       
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row depends="$type1_tok$">
    <panel>
      <title>Report: $rpt_nm_tok$ - Y Axis: $y_axis_tok$ - $new_token$</title>
    </panel>
  </row>     
</form>
0 Karma

niketn
Legend

[Updated Answer]
@xbbj4qr, while my previous answer was more in terms on how <drilldown> event handler can only have field attribute in the <condition> block and not match. I missed the point that your second eval to always extract the first value of the multivalued field was not working.

Following are the two options you have to handle this:

1) Run a dummy search based on multivalues token set during drilldown and extract the required position value (i.e. first report name in your case). Then set the token for first report name using search event handlers <done> or <progress>, which can access the fields (single value or first row value) using default token $result.fieldname$.

2) Use Simple XML JavaScript extension to extract only the first field value of a multi-valued field. Please let me know if you would be interested in this instead of running the dummy search based approach.
Following is a run anywhere dashboard example based on first approach as defined above. There is a multi-valued field reportname. On clicking any particular report the tokens set are Multivalued reportname, Clicked report name and first report name.

alt text
Following is the Simple XML Code for the dashboard snippet provided above:

<dashboard>
  <label>Multivalue Field Token</label>
  <!-- Dummy Search to Perform Field Extraction from Multivalued Field token -->
  <search>
    <query>| makeresults 
| eval reportname="$tokReport$"
| eval reportName=mvindex(split(reportname,","),0)
    </query>
    <done>
      <set token="tokFirstReportName">$result.reportName$</set>
    </done>
  </search>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval reportname="report1,report2,report3,report4,report5"
| makemv reportname delim=","</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <condition field="reportname">
            <set token="tokReport">$row.reportname$</set>
            <set token="tokClickedReport">$click.value2$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>
          <code>Multivalued Report Name</code>: $tokReport$</div>
        <div>
          <code>Clicked Report Name</code>: $tokClickedReport$</div>
        <div>
          <code>First Report Name</code>: $tokFirstReportName$</div>
      </html>
    </panel>
  </row>
</dashboard>

@xbbj4qr, Can you add a code to test whether condition is correct? like place the following code inside condition block: <set token="test">$click.name2$</set> Also

I think match is unsupported attribute for drilldown > condition block. Following should work as far as you need first element of multi-valued field ReportName.

 <drilldown>    
   <condition field="xxx">            
     <set token="rpt_nm_tok">$row.ReportName$</set>    
     <eval token="new_token">mvindex($row.ReportName$,0)</eval>
   </condition>
 </drilldown>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

xbbj4qr
New Member

Thanks for your Response!

As suggested, I have verified condition, it is correct.

Also, I have verified after removing the match from the condition block, same output.

<set token="rpt_nm_tok">$row.ReportName$</set> is working fine, but <eval token="new_token">mvindex($row.ReportName$,0)</eval> is not working.

Thanks

0 Karma

niketn
Legend

@xbbj4qr, I have updated my answer, please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

woodcock
Esteemed Legend

Try this:

<drilldown>    
<condition field="xxx" match="\"$click.name2$\" == xxx">            
    <set token="rpt_nm_tok">$row.ReportName$</set>    
    <eval token="new_token">mvindex(split('row.ReportName', ","), 0)</eval>
</condition>
</drilldown>
0 Karma

xbbj4qr
New Member

Hi,
No luck! Same output. When I try to print the token in a panel, this is the output.

Reportname: $new_token$

Thanks!

0 Karma

woodcock
Esteemed Legend

We are never going to resolve this until you show us ALL the XML.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...