Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Passing eval value to script

albertohontoria
Path Finder
‎04-28-2014 01:59 PM

Hi friends

I have been working for hours, but it has been impossible. It seems too easy, but i don´t manage to resolve it. Please help.

I have a dashboard with sideview utils, with two editable textfields and a button. When the user press the button, i have to multiply the numeric value of the textfield, and pass it to an external python script

For example, this works:

| script python changevalue.py "quality:$warning$:$critical$" (warning and critical are the textfield names.

But when i try to do somethins as simple as:

| eval umbral1 = $warning$ * 1024 * 300
| eval umbral2 = $critical$ * 1024 * 300
| script python changevalue.py "quality:$umbral1$:$umbral2$"

It fails. umbral1 and umbral2 is in blank, and i can't use this variables.

It must be very simple to resolve, but i must be blind. Please help

Regards

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-28-2014 03:28 PM

You can do this:

| script python changevalue.py [stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | eval param = "quality:".umbral1.":".umbral2" | return $param]

The subsearch creates a dummy event, performs your calculations, and returns a parameter string to be used by your command.
Note, if run from within a dashboard you may need to escape the dollar sign with dollar signs similar to as you would escape a backslash with another backslash.

As an alternative, this may work in some way as well:

| stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | script python changevalue.py

According to the docs script passes the top 100 results to the script, so you should somehow be able to get that dummy event from the script.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-28-2014 03:28 PM

You can do this:

| script python changevalue.py [stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | eval param = "quality:".umbral1.":".umbral2" | return $param]

The subsearch creates a dummy event, performs your calculations, and returns a parameter string to be used by your command.
Note, if run from within a dashboard you may need to escape the dollar sign with dollar signs similar to as you would escape a backslash with another backslash.

As an alternative, this may work in some way as well:

| stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | script python changevalue.py

According to the docs script passes the top 100 results to the script, so you should somehow be able to get that dummy event from the script.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-28-2014 05:13 PM

If you do return param you'll get param=value, if you do return $param you'll get just value without param= - the latter looked like the one you asked for in the question.

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/return see example 3

0 Karma
Reply
Solved! Jump to solution

albertohontoria
Path Finder
‎04-28-2014 05:00 PM

Thanks a lot. The returning value is in the format "param=quality:...", but i have managed to trim the string and pass it to the script.

By the way, this function doesn't work.
eval param = "quality:".umbral1.":".umbral2" | return $param

The correct way is this one:
eval param = "$vlan$:traffic:"+umbral1+":"+umbral2 | return param

Thanks again. You have my points

0 Karma
Reply
Solved! Jump to solution

albertohontoria
Path Finder
‎04-28-2014 02:30 PM

I have already tried it, without sucess. The result is this

| eval umbral1 = 200 * 1024 * 300 | eval umbral2 = 300 * 1024 * 300 | script python hello "quality:"+umbral1+":"+umbral2

It doesn´t seem to preprocess variables passed to the script. With components like textfields and pulldowns using $variable$ it works, but using eval variables it doesn't work.

I am a bit lost about this

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-28-2014 02:09 PM

How about this
| script python changevalue.py "quality:"+umbral1+":"+umbral2

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...