Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If a token is equal to a value run query 1 if it i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
01:55 PM
Hi,
I have this query which works just fine in my dashboard. What I'd like to do is if the Properties.index=17 (instead of the current 31) (which I have in a token value) then either run a separate query the excludes "Error Message" values or somehow eval the values(error_message) so it does not show. Is there a way to do this?
index=wholesale_app [search index=wholesale_app buildTarget=* product=* CustomAnalytic Properties.index="31" |table clientSessionId] |rex "cameraMACAddress.....(?<mac_address>[^\\\]+)"|rex "cameraFirmwareVersion..:..(?<cversion>[^\\\]+)"|rex "cameraModel..:..(?<cmodel>[^\\\]+)"|rex "errorMessage.....(?<error_msg>[^\\\\]+)" | stats values(accountid) as accountid values(mac_address) as mac values(error_msg) as "Error Message" values(cmodel) as model values(cversion) as version by clientSessionId|rename accountid as "Account ID" mac as "MAC Address" model as "Camera Model" version as "Camera Firmware Version"
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
06:42 PM
Figured it out. Here is what I ended up with. Turns out trying to set a token using and if statement, you cannot have double quotes in the string you are trying to set. So this is valid if(token=1, "a brown dog", "a black dog") but this is not valid if(token=1, "a "brown" dog", "a "black" dog"). The double quotes confuses splunk.
Instead of trying to set the entire search string, I only set the stats part.
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<eval token="clicked_group">substr($click.name2$,0,2)</eval>
<eval token="state">if($clicked_group$="31", "stats values(accountid) as accountid values(mac_address) as mac values(error_msg) as Error_Message values(cmodel) as model values(cversion) as version by clientSessionId", "stats values(accountid) as accountid values(mac_address) as mac values(cmodel) as model values(cversion) as version by clientSessionId")</eval>
<eval token="statevalue">if($clicked_group$="31", "errored sessions", "successful sessions")</eval>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel depends="$clicked_group$">
<title>Playback vs Error details for $statevalue$</title>
<table>
<title>(Click any row to close)</title>
<search>
<query>index=wholesale_app [search index=wholesale_app buildTarget=$mso_selection$ product=$Product_token$ CustomAnalytic Properties.index="$clicked_group$" |table clientSessionId] |rex "cameraMACAddress.....(?<mac_address>[^\\\]+)"|rex "cameraFirmwareVersion..:..(?<cversion>[^\\\]+)"|rex "cameraModel..:..(?<cmodel>[^\\\]+)"|rex "errorMessage.....(?<error_msg>[^\\\\]+)"|$state$|rename accountid as "Account ID" mac as "MAC Address" model as "Camera Model" version as "Camera Firmware Version"</query>
<earliest>$clicked_earliest$</earliest>
<latest>$clicked_latest$</latest>
</search>
<drilldown>
<unset token="clicked_earliest"></unset>
<unset token="clicked_latest"></unset>
<unset token="clicked_group"></unset>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
06:42 PM
Figured it out. Here is what I ended up with. Turns out trying to set a token using and if statement, you cannot have double quotes in the string you are trying to set. So this is valid if(token=1, "a brown dog", "a black dog") but this is not valid if(token=1, "a "brown" dog", "a "black" dog"). The double quotes confuses splunk.
Instead of trying to set the entire search string, I only set the stats part.
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<eval token="clicked_group">substr($click.name2$,0,2)</eval>
<eval token="state">if($clicked_group$="31", "stats values(accountid) as accountid values(mac_address) as mac values(error_msg) as Error_Message values(cmodel) as model values(cversion) as version by clientSessionId", "stats values(accountid) as accountid values(mac_address) as mac values(cmodel) as model values(cversion) as version by clientSessionId")</eval>
<eval token="statevalue">if($clicked_group$="31", "errored sessions", "successful sessions")</eval>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel depends="$clicked_group$">
<title>Playback vs Error details for $statevalue$</title>
<table>
<title>(Click any row to close)</title>
<search>
<query>index=wholesale_app [search index=wholesale_app buildTarget=$mso_selection$ product=$Product_token$ CustomAnalytic Properties.index="$clicked_group$" |table clientSessionId] |rex "cameraMACAddress.....(?<mac_address>[^\\\]+)"|rex "cameraFirmwareVersion..:..(?<cversion>[^\\\]+)"|rex "cameraModel..:..(?<cmodel>[^\\\]+)"|rex "errorMessage.....(?<error_msg>[^\\\\]+)"|$state$|rename accountid as "Account ID" mac as "MAC Address" model as "Camera Model" version as "Camera Firmware Version"</query>
<earliest>$clicked_earliest$</earliest>
<latest>$clicked_latest$</latest>
</search>
<drilldown>
<unset token="clicked_earliest"></unset>
<unset token="clicked_latest"></unset>
<unset token="clicked_group"></unset>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
02:43 PM
I'm trying this in the dashboard but somehow the "state" token is not being set since the subsequent search says it is waiting for input
<drilldown>
<set token="clicked_earliest">$earliest$</set>
<set token="clicked_latest">$latest$</set>
<eval token="clicked_group">substr($click.name2$,0,2)</eval>
<eval token="state">if(match($click.name2$,"31"), "index=wholesale_app [search index=wholesale_app buildTarget=* product=* CustomAnalytic Properties.index="31" |table clientSessionId] |rex "cameraMACAddress.....(?<mac_address>[^\\\]+)"|rex "cameraFirmwareVersion..:..(?<cversion>[^\\\]+)"|rex "cameraModel..:..(?<cmodel>[^\\\]+)"|rex "errorMessage.....(?<error_msg>[^\\\\]+)" | stats values(accountid) as accountid values(mac_address) as mac values(error_msg) as "Error Message" values(cmodel) as model values(cversion) as version by clientSessionId|rename accountid as "Account ID" mac as "MAC Address" model as "Camera Model" version as "Camera Firmware Version"", "index=wholesale_app [search index=wholesale_app buildTarget=* product=* CustomAnalytic Properties.index="17" |table clientSessionId] |rex "cameraMACAddress.....(?<mac_address>[^\\\]+)"|rex "cameraFirmwareVersion..:..(?<cversion>[^\\\]+)"|rex "cameraModel..:..(?<cmodel>[^\\\]+)"|rex "errorMessage.....(?<error_msg>[^\\\\]+)" | stats values(accountid) as accountid values(mac_address) as mac values(cmodel) as model values(cversion) as version by clientSessionId|rename accountid as "Account ID" mac as "MAC Address" model as "Camera Model" version as "Camera Firmware Version"")</eval>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel depends="$clicked_group$">
<title>Playback vs Error details "$clicked_group$" "$state$"</title>
<table>
<title>(Click any row to close)</title>
<search>
<query>$state$</query>
<earliest>$clicked_earliest$</earliest>
<latest>$clicked_latest$</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
03:13 PM
Playing around with the eval token statement, still no luck
<eval token="state">if(match('$clicked_group$',"31")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
03:18 PM
another unsuccessful attempt
<eval token="state">if($clicked_group$=31, "index=wholesale_app ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-05-2018
03:43 PM
Ok, some progress, this "works"
<eval token="state">if('$clicked_group$'>"0", "A","B")</eval>
Its not what I need to work but I'm trying to figure out whats broken. So it seems it is not the eval statement itself, it is what I'm trying to set the token to (i.e. the long query statement). Still not sure what I'm doing wrong though....
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
