Solved: Please help....I'm using |eval case() with multipl...

motaghis · ‎04-17-2020

There are three conditions in my eval:
1) date=2019-Present, '"/2019","/2020"'
2) date=2019, " /2019"
3) date=2020, "/2020"

Non of the condition values pass through to **OpenedOn IN(dtok)** as expected. In the example below, OpenedOn IN(dtok) should result in OpenedOn IN('"/2019","*/2020"')*.

..base search

| eval date=2019-Present
| eval dtok=case(date=2019-Present, **'"*/2019","*/2020"'**  ,date=2019,  " /2019",  date=2020, "/2020")
| search  OpenedOn IN(**dtok**)
| bin span=1mon OpenedOn
| chart count(sys_id) as count over OpenedOn_2 by "Business Service"  limit=0 | addtotals

Thank you.

to4kawa · ‎04-18-2020

..base search (OpenedOn="*/2019" OR OpenedOn="*/2020") 

| bin span=1mon OpenedOn 
| chart count(sys_id) as count over OpenedOn_2 by "Business Service" limit=0 
| addtotals

Hi @motaghis
you don't need eval and where

try search first. no problem.
and */2019 and /2019 is same.

View solution in original post

to4kawa · ‎04-18-2020

..base search (OpenedOn="*/2019" OR OpenedOn="*/2020") 

| bin span=1mon OpenedOn 
| chart count(sys_id) as count over OpenedOn_2 by "Business Service" limit=0 
| addtotals

Hi @motaghis
you don't need eval and where

try search first. no problem.
and */2019 and /2019 is same.

motaghis · ‎04-18-2020

Hi @to4kawa. Thank you. Sorry, I'm not explaining myself clearly. This query is part of a dashboard panel that relies on user inputs from a drop down menu with three choices. Either "2019" , "2020" or both with choice "Rolling 2019-2020".

The token used for the drop down menu input is $date$. If the user selects the "Rolling 2019-2020" choice, then the token $date$ will be "2019-Present". Based on the choice of the user as seen in the XML listed below, I need to do an eval, if "2019-Present" is the value of $date$ then date_tok will return, in this exact format, the value of '"/2019","/2020"' . I get no results from this. I'm having trouble passing through '"/2019","/2020"' to the |search OpenedOn IN(date_tok) to filter the results.

======================================================================================
Here is the xml of the input Date input:

  <input type="dropdown" token="date" searchWhenChanged="true">
    <label>Year</label>
    <choice value="2019-Present">Rolling 2019-2020</choice>
    <choice value="2019">2019</choice>
    <choice value="2020">2020</choice>
  </input>

=====================================================================================
Dashboard Panel query

...base search

| eval date=$date$
| eval date_tok=case(date=2019-Present,'"/2019","/2020"' ,date=2019,"/2019" ,date=2020,"/2020")
| eval OpenedOn=date_tok

| search "Change Type" IN("$form.changerequesttype$") OpenedOn IN(date_tok)
| bin span=1mon OpenedOn
| chart count(sys_id) as count over OpenedOn_2 by "Business Service" limit=0 | addtotals

======================================================================================

Thank you.

to4kawa · ‎04-18-2020

I see.

<form hideEdit="false">
  <label>Input dropdown test</label>
  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="date" searchWhenChanged="true">
      <label>Year</label>
      <choice value="2019-Present">Rolling 2019-2020</choice>
      <choice value="2019">2019</choice>
      <choice value="2020">2020</choice>
      <change>
        <condition value="2019-Present">
          <set token="tok_text_1">/2019 OR /2020</set>
        </condition>
        <condition value="2019">
          <set token="tok_text_1">2019</set>
        </condition>
        <condition>
          <set token="tok_text_1">2020</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token 1: $date$ | Token 2: $tok_text_1$</title>
      <html/>
    </panel>
  </row>
</form>

this is sample dashboard. try this.
Splunk dashboard can send two tokens at same time.

I don't know whole your query. you can create dashboard.

motaghis · ‎04-18-2020

This works beautifully! Thank you so much @to4kawa!!

manjunathmeti · ‎04-18-2020

Use match function with where command. Try this query. Here OpenedOn is matched to "/2019" OR "/2020" when date is "2019-Present".

 ..base search

 | eval date=2019-Present
 | eval dtok=case(date="2019-Present", "(/2019|/2020)", date="2019", "/2019",  date="2020", "/2020")
 | where match(OpenedOn, dtok)
 | bin span=1mon OpenedOn
 | chart count(sys_id) as count over OpenedOn_2 by "Business Service"  limit=0 | addtotals

motaghis · ‎04-18-2020

Thank you for your quick response. I tried this query and it doesn't work. My issue is I need OpenedOn to equal "/2019" and "/2020" in this format ' "/2019","/2020" ' then use | search OpenedOn IN(dtok) to filter the results for all values that were created in 2019 and 2020.

...base search

Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?