Splunk Search

Simple math and string concatenation


I have this dashboard:

  <label>Prova_selettore_dinamico Clona v1</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="period" searchWhenChanged="true">
      <choice value="1">Last day</choice>
      <choice value="7">Last 7 days</choice>
      <choice value="30">Last 30 days</choice>
      <choice value="365">Last 12 months</choice>

The token $period$ is set, for instance, at -30d (and I use this token i the query so i need it like this).

Now what I also need is the $period$ to double the period, for example: -60d

This implies that i have to extract the 30 from the string "-30d", double it and put it back between the "-" and the "d".

Another solution i thought is to set 2 values for every choice of the imput, like:

 <choice value="30" value2="60">Last 30 days</choice>

But this seems to be not possible.

Please help me.

I tried to integrate your code with my and this came our:

  <label>Prova_selettore_dinamico Clona v4</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="t" searchWhenChanged="true">
        <query>| makeresults
               | eval x="Last day    |-1d@d  |-2d@d;
                         Last 7 days |-7d@d  |-14d@d;
                         Last 30 days|-30d@d |-60d@d"
               | makemv x delim=";"
               | mvexpand x
               | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)"
               | table label value doublevalue</query>
        <set token="double">$row.doublevalue$</set>
        <set token="nor">$row.value$</set>
          <query>BASE QUERY   
| eval when=if(_time &gt; relative_time(now(), "$nor$"), "Current_Week", "Prev_Week")  
| stats count as events by  source when  
| chart sum(events) by source, when  
| eval perc = (Current_Week-Prev_Week)/Prev_Week 
| eval trend = case(perc < -0.3, "basso", (perc >= -0.3 and perc <= 0.3 ), "medio", perc > 0.3, "alto") 
| table source, Current_Week, Prev_Week, perc, trend</query>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>

Everything seems to work except one thing.
In the second row of the second query is written:

| eval when=if(_time &gt; relative_time(now(), "$nor$"), "Current_Week", "Prev_Week") 

and for some reason it put everything in Prev_Week.
instead if I write this line like this:

| eval when=if(_time > relative_time(now(), "-7d"), "Current_Week", "Prev_Week") 

then everything works, but of course is not dynamic.

Can you help me understand why?

Thank you

1 Solution


What you will need to do is create a dynamic query that generates a table with 3 columns, label, value and value2. Bind the results to the dropdown, and set a token on change event to pick the "double" value. Here is a "run anywhere" sample that will give you an idea on how this can be done.

  <fieldset submitButton="false">
    <input type="dropdown" token="t">
        <query>| makeresults | eval x="Last day|-1d@d|-2d@d;Last 7 days|-7d@d|-14d@d;Last 30 days|-30d@d|-60d@d" | makemv x delim=";" | mvexpand x | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)" | table label value doublevalue</query>
        <set token="double">$row.doublevalue$</set>
          <query>index=_internal earliest=$double$ | stats earliest(_time) as first latest(_time) as last | eval first=strftime(first, "%x %X") | eval last=strftime(last, "%x %X") | eval double="$double$"</query>

View solution in original post


What you will need to do is create a dynamic query that generates a table with 3 columns, label, value and value2. Bind the results to the dropdown, and set a token on change event to pick the "double" value. Here is a "run anywhere" sample that will give you an idea on how this can be done.

  <fieldset submitButton="false">
    <input type="dropdown" token="t">
        <query>| makeresults | eval x="Last day|-1d@d|-2d@d;Last 7 days|-7d@d|-14d@d;Last 30 days|-30d@d|-60d@d" | makemv x delim=";" | mvexpand x | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)" | table label value doublevalue</query>
        <set token="double">$row.doublevalue$</set>
          <query>index=_internal earliest=$double$ | stats earliest(_time) as first latest(_time) as last | eval first=strftime(first, "%x %X") | eval last=strftime(last, "%x %X") | eval double="$double$"</query>

0 Karma


Please do not update the original question. Add your feedback/comments in the comments section. Its become very difficult to track.

Now, re: your issue. You dont need the "nor" token. You should use $t$ for it. So, your query should look like this

| eval when=if(_time > relative_time(now(), "$t$"), "Current_Week", "Prev_Week") 
0 Karma


I did it and it works in the same way, still putting everything in the prev_week. 😞

0 Karma


Add this just below the <panel> tag.

<title>value=$t$; doublevalue=$double$</title>.

Do the values look right when you run it?

0 Karma


yes, the numbers look right:
value=-7d@d ; doublevalue=-14d@d
but all the data keep going into the prev_week.

And still if i change from "$t$" to "-14d", which should be the exact same value, then it works.


0 Karma


remove the quotes around $t$.

0 Karma


if I remove the quotes around $t$ it gives me the following error:

Error in 'eval' command: The expression is malformed. Expected ).

I think it is because that $t$ is inside the query.

0 Karma


In the bottom left corner of the panel, there is a magnifying glass. Click on that, see what you get in the search

0 Karma


i get this:

eval when=if(_time > relative_time( now(), "-7d@d  " )

the problem is the space after the d.

so i changed form this

Last 7 days |-7d@d  |-14d@d;

to this

Last 7 days |-7d@d|-14d@d;

and now seems to work

Thank you a lot 🙂

0 Karma


@andreafebbo Can I close out the other question as a duplicate of this one?

0 Karma


I needed for the same dashboard but the other does something broader so it would be nice to find a solution, but just for academical ends 😛

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...