Solved: Passing eval value to script

albertohontoria · ‎04-28-2014

Hi friends

I have been working for hours, but it has been impossible. It seems too easy, but i don´t manage to resolve it. Please help.

I have a dashboard with sideview utils, with two editable textfields and a button. When the user press the button, i have to multiply the numeric value of the textfield, and pass it to an external python script

For example, this works:

| script python changevalue.py "quality:$warning$:$critical$" (warning and critical are the textfield names.

But when i try to do somethins as simple as:

| eval umbral1 = $warning$ * 1024 * 300
| eval umbral2 = $critical$ * 1024 * 300
| script python changevalue.py "quality:$umbral1$:$umbral2$"

It fails. umbral1 and umbral2 is in blank, and i can't use this variables.

It must be very simple to resolve, but i must be blind. Please help

Regards

martin_mueller · ‎04-28-2014

You can do this:

| script python changevalue.py [stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | eval param = "quality:".umbral1.":".umbral2" | return $param]

The subsearch creates a dummy event, performs your calculations, and returns a parameter string to be used by your command.
Note, if run from within a dashboard you may need to escape the dollar sign with dollar signs similar to as you would escape a backslash with another backslash.

As an alternative, this may work in some way as well:

| stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | script python changevalue.py

According to the docs script passes the top 100 results to the script, so you should somehow be able to get that dummy event from the script.

View solution in original post

martin_mueller · ‎04-28-2014

You can do this:

| script python changevalue.py [stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | eval param = "quality:".umbral1.":".umbral2" | return $param]

The subsearch creates a dummy event, performs your calculations, and returns a parameter string to be used by your command.
Note, if run from within a dashboard you may need to escape the dollar sign with dollar signs similar to as you would escape a backslash with another backslash.

As an alternative, this may work in some way as well:

| stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | script python changevalue.py

According to the docs script passes the top 100 results to the script, so you should somehow be able to get that dummy event from the script.

martin_mueller · ‎04-28-2014

If you do return param you'll get param=value, if you do return $param you'll get just value without param= - the latter looked like the one you asked for in the question.

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/return see example 3

albertohontoria · ‎04-28-2014

Thanks a lot. The returning value is in the format "param=quality:...", but i have managed to trim the string and pass it to the script.

By the way, this function doesn't work.
eval param = "quality:".umbral1.":".umbral2" | return $param

The correct way is this one:
eval param = "$vlan$:traffic:"+umbral1+":"+umbral2 | return param

Thanks again. You have my points

albertohontoria · ‎04-28-2014

I have already tried it, without sucess. The result is this

| eval umbral1 = 200 * 1024 * 300 | eval umbral2 = 300 * 1024 * 300 | script python hello "quality:"+umbral1+":"+umbral2

It doesn´t seem to preprocess variables passed to the script. With components like textfields and pulldowns using $variable$ it works, but using eval variables it doesn't work.

I am a bit lost about this

somesoni2 · ‎04-28-2014

How about this
| script python changevalue.py "quality:"+umbral1+":"+umbral2

Passing eval value to script

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?