Splunk Search
Highlighted

Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Engager

There are three conditions in my eval:
1) date=2019-Present, '"/2019","/2020"'
2) date=2019, " /2019"
3) date=2020, "/2020"

Non of the condition values pass through to **OpenedOn IN(dtok)** as expected. In the example below, OpenedOn IN(dtok) should result in OpenedOn IN('"/2019","*/2020"')*.

..base search

| eval date=2019-Present
| eval dtok=case(date=2019-Present, **'"*/2019","*/2020"'**  ,date=2019,  " /2019",  date=2020, "/2020")
| search  OpenedOn IN(**dtok**)
| bin span=1mon OpenedOn
| chart count(sys_id) as count over OpenedOn_2 by "Business Service"  limit=0 | addtotals

Thank you.

Tags (3)
0 Karma
Highlighted

Re: Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Influencer

Use match function with where command. Try this query. Here OpenedOn is matched to "/2019" OR "/2020" when date is "2019-Present".

 ..base search

 | eval date=2019-Present
 | eval dtok=case(date="2019-Present", "(/2019|/2020)", date="2019", "/2019",  date="2020", "/2020")
 | where match(OpenedOn, dtok)
 | bin span=1mon OpenedOn
 | chart count(sys_id) as count over OpenedOn_2 by "Business Service"  limit=0 | addtotals
0 Karma
Highlighted

Re: Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Engager

Thank you for your quick response. I tried this query and it doesn't work. My issue is I need OpenedOn to equal "/2019" and "/2020" in this format ' "/2019","/2020" ' then use | search OpenedOn IN(dtok) to filter the results for all values that were created in 2019 and 2020.

...base search

| eval date=2019
| eval dtok=case(date="2019-Present", "(/2019|/2020)", date="2019", "/2019", date="2020", "/2020")
| where match(OpenedOn, dtok)
| bin span=1mon OpenedOn
| chart count(sysid) as count over OpenedOn2 by "Business Service" limit=0 | addtotals

0 Karma
Highlighted

Re: Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Ultra Champion
..base search (OpenedOn="*/2019" OR OpenedOn="*/2020") 

| bin span=1mon OpenedOn 
| chart count(sys_id) as count over OpenedOn_2 by "Business Service" limit=0 
| addtotals

Hi @motaghis
you don't need eval and where

try search first. no problem.
and */2019 and /2019 is same.

View solution in original post

Highlighted

Re: Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Engager

Hi @to4kawa. Thank you. Sorry, I'm not explaining myself clearly. This query is part of a dashboard panel that relies on user inputs from a drop down menu with three choices. Either "2019" , "2020" or both with choice "Rolling 2019-2020".

The token used for the drop down menu input is $date$. If the user selects the "Rolling 2019-2020" choice, then the token $date$ will be "2019-Present". Based on the choice of the user as seen in the XML listed below, I need to do an eval, if "2019-Present" is the value of $date$ then datetok will return, in this exact format, the value of '"/2019","/2020"' . I get no results from this. I'm having trouble passing through '"/2019","/2020"' to the |search **OpenedOn IN(datetok)** to filter the results.

======================================================================================
Here is the xml of the input Date input:

  <input type="dropdown" token="date" searchWhenChanged="true">
    <label>Year</label>
    <choice value="2019-Present">Rolling 2019-2020</choice>
    <choice value="2019">2019</choice>
    <choice value="2020">2020</choice>
  </input>

=====================================================================================
Dashboard Panel query

...base search

| eval date=$date$
| eval datetok=case(date=2019-Present,'"/2019","/2020"' ,date=2019,"/2019" ,date=2020,"/2020")
| eval OpenedOn=date
tok

| search "Change Type" IN("$form.changerequesttype$") OpenedOn IN(date_tok)
| bin span=1mon OpenedOn
| chart count(sysid) as count over OpenedOn2 by "Business Service" limit=0 | addtotals

======================================================================================

Thank you.

0 Karma
Highlighted

Re: Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Ultra Champion

I see.

<form hideEdit="false">
  <label>Input dropdown test</label>
  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="date" searchWhenChanged="true">
      <label>Year</label>
      <choice value="2019-Present">Rolling 2019-2020</choice>
      <choice value="2019">2019</choice>
      <choice value="2020">2020</choice>
      <change>
        <condition value="2019-Present">
          <set token="tok_text_1">/2019 OR /2020</set>
        </condition>
        <condition value="2019">
          <set token="tok_text_1">2019</set>
        </condition>
        <condition>
          <set token="tok_text_1">2020</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Token 1: $date$ | Token 2: $tok_text_1$</title>
      <html/>
    </panel>
  </row>
</form>

this is sample dashboard. try this.
Splunk dashboard can send two tokens at same time.

I don't know whole your query. you can create dashboard.

0 Karma
Highlighted

Re: Please help....I'm using |eval case() with multiple values and need help with passing through the values to an IN() search

Engager

This works beautifully! Thank you so much @to4kawa!!

0 Karma