Solved: To change the column value in query using eval or ...

rj1408 · ‎12-10-2020

Hi ,

So if I click at Success/Failure I'm able to get all the transaction IDs which have status Success/Failure, But if i chose Total_Transaction I'm unable to change it to "*" using eval.

Below is the query, Im using drilldown for column name and column value, since its taking column value as Total_Transaction its unable to trace to *. Need help with the eval if query.

Query-
index="int_gcg_apac_pcf_application_dm_169688" cf_org_name="CM-AP-SIT2" cf_space_name="166190_GCESMS" ESMS_MainMethod=doLostStolen OR ESMS_MainMethod=saveReqest OR ESMS_MainMethod=updateTempCreditLimit |stats dc(ESMS_TransactionID), sum(ESMS_ResponseTime), count(ESMS_StatusSuccess), count(ESMS_StatusFailure) as count by ESMS_MainMethod | rename ESMS_MainMethod as MicroService dc(ESMS_TransactionID) as Total_Transaction sum(ESMS_ResponseTime) as Total_Time count(ESMS_StatusSuccess) as Sucess count as Failure | eval "Success%"=((Success/Total_Transaction)*100) , "Failure%"=((Failure/Total_Transaction)*100), "Avg"=(Total_Time/Total_Transaction) | replace loadCardProfile1 with ESMS_CardProfile processCriteria with ESMS_GBCR saveReqest with ESMS_DB_Service doLostStolen with ESMS_LostStolen_Service doRetailConversion with ESMS_RetailConversion updateTempCreditLimit with ESMS_TempCreditLimit_Service

ITWhisperer · ‎12-10-2020

        <drilldown>
          <set token="form.MS_filter">$click.value$</set>
          <eval token="clicked_col">if($click.name2$=="Total_Transaction","*",$click.name2$)</eval>
        </drilldown>

View solution in original post

ITWhisperer · ‎12-10-2020

What have you tried? Can you share the dashboard XML?

rj1408 · ‎12-10-2020

Hi ITWhisperer,

Have used this

So here Im using drilldown to get this table from the above table:

The problem is if I click on the "Total_Transaction" I'm unable to change the value to "*", to show all the TransactionIDs.

Also can u suggest me how to hide rows alternatively whenever any of the two rows StausFailure/StatusSucces is completyly empty

My dashboard:

 <row>
    <panel>
      <title>MicroServices</title>
      <table>
        <title>The Succes Error Percentage</title>
        <search>
          <query>index="int_gcg_apac_pcf_application_dm_169688" cf_org_name="CM-AP-SIT2" cf_space_name="166190_GCESMS" ESMS_MainMethod=doLostStolen OR ESMS_MainMethod=saveReqest OR ESMS_MainMethod=updateTempCreditLimit |stats dc(ESMS_TransactionID), sum(ESMS_ResponseTime), count(ESMS_StatusSuccess), count(ESMS_StatusFailure) as count by ESMS_MainMethod | rename ESMS_MainMethod as MicroService  dc(ESMS_TransactionID) as Total_Transaction sum(ESMS_ResponseTime) as Total_Time count(ESMS_StatusSuccess) as Sucess count as Failure | eval "Success%"=((Success/Total_Transaction)*100) , "Failure%"=((Failure/Total_Transaction)*100), "Avg"=(Total_Time/Total_Transaction) | replace loadCardProfile1 with ESMS_CardProfile processCriteria with ESMS_GBCR saveReqest with ESMS_DB_Service doLostStolen with ESMS_LostStolen_Service  doRetailConversion with ESMS_RetailConversion updateTempCreditLimit with ESMS_TempCreditLimit_Service</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="form.MS_filter">$click.value$</set>
          <set token="clicked_col">$click.name2$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>TransactionIDs</title>
      <table>
        <title>$MS_filter$</title>
        <search>
          <query>index="int_gcg_apac_pcf_application_dm_169688" cf_org_name="CM-AP-SIT2" cf_space_name="166190_GCESMS"  ESMS_MS=$form.MS_filter$  ESMS_MainMethod=doLostStolen OR ESMS_MainMethod= loadCardProfile1 OR ESMS_MainMethod=processCriteria OR ESMS_MainMethod=saveReqest OR ESMS_MainMethod=updateTempCreditLimit ESMS_StatusSuccess=$clicked_col$ OR ESMS_StatusFailure=$clicked_col$  | table   ESMS_TransactionID,ESMS_Country, ESMS_ResponseTime, ESMS_MS, ESMS_StatusFailure, ESMS_StatusSuccess</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="form.TransactionID_filter">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>

ITWhisperer · ‎12-10-2020

        <drilldown>
          <set token="form.MS_filter">$click.value$</set>
          <eval token="clicked_col">if($click.name2$=="Total_Transaction","*",$click.name2$)</eval>
        </drilldown>

rj1408 · ‎12-10-2020

@ITWhisperer Thankyou! 🙂

rj1408 · ‎12-10-2020

@ITWhisperer

To change the column value in query using eval or regex

eval

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

To change the column value in query using eval or regex

eval

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I