Splunk Search

Passing eval value to script

albertohontoria
Path Finder

Hi friends

I have been working for hours, but it has been impossible. It seems too easy, but i don´t manage to resolve it. Please help.

I have a dashboard with sideview utils, with two editable textfields and a button. When the user press the button, i have to multiply the numeric value of the textfield, and pass it to an external python script

For example, this works:

| script python changevalue.py "quality:$warning$:$critical$" (warning and critical are the textfield names.

But when i try to do somethins as simple as:

| eval umbral1 = $warning$ * 1024 * 300
| eval umbral2 = $critical$ * 1024 * 300
| script python changevalue.py "quality:$umbral1$:$umbral2$"

It fails. umbral1 and umbral2 is in blank, and i can't use this variables.

It must be very simple to resolve, but i must be blind. Please help

Regards

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can do this:

| script python changevalue.py [stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | eval param = "quality:".umbral1.":".umbral2" | return $param]

The subsearch creates a dummy event, performs your calculations, and returns a parameter string to be used by your command.
Note, if run from within a dashboard you may need to escape the dollar sign with dollar signs similar to as you would escape a backslash with another backslash.

As an alternative, this may work in some way as well:

| stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | script python changevalue.py

According to the docs script passes the top 100 results to the script, so you should somehow be able to get that dummy event from the script.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can do this:

| script python changevalue.py [stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | eval param = "quality:".umbral1.":".umbral2" | return $param]

The subsearch creates a dummy event, performs your calculations, and returns a parameter string to be used by your command.
Note, if run from within a dashboard you may need to escape the dollar sign with dollar signs similar to as you would escape a backslash with another backslash.

As an alternative, this may work in some way as well:

| stats count | eval umbral1 = $warning$ * 1024 * 300 | eval umbral2 = $critical$ * 1024 * 300 | script python changevalue.py

According to the docs script passes the top 100 results to the script, so you should somehow be able to get that dummy event from the script.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you do return param you'll get param=value, if you do return $param you'll get just value without param= - the latter looked like the one you asked for in the question.

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/return see example 3

0 Karma

albertohontoria
Path Finder

Thanks a lot. The returning value is in the format "param=quality:...", but i have managed to trim the string and pass it to the script.

By the way, this function doesn't work.
eval param = "quality:".umbral1.":".umbral2" | return $param

The correct way is this one:
eval param = "$vlan$:traffic:"+umbral1+":"+umbral2 | return param

Thanks again. You have my points

0 Karma

albertohontoria
Path Finder

I have already tried it, without sucess. The result is this

| eval umbral1 = 200 * 1024 * 300 | eval umbral2 = 300 * 1024 * 300 | script python hello "quality:"+umbral1+":"+umbral2

It doesn´t seem to preprocess variables passed to the script. With components like textfields and pulldowns using $variable$ it works, but using eval variables it doesn't work.

I am a bit lost about this

0 Karma

somesoni2
Revered Legend

How about this
| script python changevalue.py "quality:"+umbral1+":"+umbral2

0 Karma