How to write an eval if/then statement to produce ...

jnichols914 · ‎09-13-2016

Hi Everyone,

Longtime user of Splunk and come here often to find my answers, but I can't exactly solve the issue I have here.

Background of what I'm trying to do:

My Dashboard has options for PROD, DEMO. When I select the dropdown, it will change the searches from my production servers to my demo servers. I'm looking at java logging to look at max threads on our tomcat hosts and would like to look at demo logging, but the hard part is, it's a different number for all hosts.

Here is my XML:

host=$il_env$-ilas* sourcetype=jmx attributevalue="*" attributeID=366 | stats latest(attributevalue) | rangemap field=latest(attributevalue) low=0-2500 elevated=2500-2750 severe=2750-3000 default=none

My goal is to use the $il_env$ wildcard to do an if/then statement. If host=production, the search will use attributeID=366. If the host=demo, the search will use attributeID=912.

Any help would be greatly appreciated.

sundareshr · ‎09-13-2016

Try this

<form>
<input type="dropdown" token="il_env">
<options>
...
<change>
<eval token="attr">if($value$="Prod", 366, 912)</eval>
</change>

<panel>
<chart>
<search>
<query>host=$il_env$-ilas* sourcetype=jmx attributevalue="*" attributeID=$attr$ | stats latest(attributevalue) | rangemap field=latest(attributevalue) low=0-2500 elevated=2500-2750 severe=2750-3000 default=none</query>
</search>
</panel>
</form>

How to write an eval if/then statement to produce a result for a single value visualization?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!