Splunk Search

Tokens and Evals

Communicator

I am trying to set up a form input and I feel like I'm missing some basic understanding of how tokens work. Our data around dates is a bit of a mess, so I'm having to do evals to get the dates into one format. For the token string, I'm using:

| inputlookup foo    
| search ((Date1>=2015-10-01 Date1<=2018-09-30) OR (Date2>=2015-10-01 Date2<=2018-09-30)) 
| eval NewDate=coalesce(Date2, Date1) 
| eval NewDate=substr(NewDate, 1, len(NewDate)-3) 
| stats count by NewDate

This seems to work well until I combine it with the search in the form:

| inputlookup foo 
| search somefield=*dogs* NewDate=$newdate_token$
| chart count by DogType

This produces "No results found". What am I missing?

0 Karma

Communicator
<form>
  <label>Tokens FY Test</label>
  <description></description>
  <fieldset submitButton="false">
    <input type="dropdown" token="fy_token" searchWhenChanged="true">
      <label>Fiscal Year</label>
      <fieldForLabel>NewDate</fieldForLabel>
      <fieldForValue>NewDate</fieldForValue>
      <search>
        <query>|inputlookup foo    
| search `reportable_status`
| search ((Date1&gt;=2015-10-01 Date1&lt;=2018-09-30) OR (Date2&gt;=2015-10-01 Date2&lt;=2018-09-30)) 
| eval NewDate=coalesce(Date2, Date1) 
| eval NewDate=substr(NewDate, 1, len(NewDate)-3) 
| stats count by NewDate</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>FY18</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Dog Count ($fy_token$ Cumulative)</title>
      <chart>
        <title>Shows dog types for $fy_token$.</title>
        <search>
          <query>| inputlookup foo 
| search somefield=*dogs* NewDate=$fy_token$
| chart count by DogType</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
0 Karma

SplunkTrust
SplunkTrust

I believe you should be using NewDate=$fy_token$ instead of NewDate=$newdate_token$. The token name for value of dropdown search is $fy_token$.

0 Karma

Communicator

Good eye, somsoni2 - that was actually an error I made when copying and pasting. I am calling for fy_token throughout the search.

0 Karma

SplunkTrust
SplunkTrust

Another thing, based on your first query,
1) The field NewDate doesn't exist in lookup foo, but to create it using eval.
2) The value of NewDate token would be just YYYY-mm as you're removing day part.

So, when you try to filter it in the panel search, you can't reference it directly. I would change your panel search to this. (add eval with NewDate and an asterisk * at the end of NewDate filter.

| inputlookup foo 
| eval NewDate=coalesce(Date2, Date1) 
 | search somefield=*dogs* NewDate=$fy_token$*
 | chart count by DogType
0 Karma

SplunkTrust
SplunkTrust

Assuming you're using this in dashboard, could you share your dashboard xml here?

0 Karma

In the first code block, you input the contents of the lookup file "foo", perform some logic on the date fields, and create a field called NewDate that exists only for the lifetime of that search. Unless you are also saving the results of that work back into the lookup table, then NewDate will not be a field that you can search for in the future.

Hence, the second code block that is looking for some particular values of the field NewDate will always fail - because your first code block only created that field temporarily but did not save it anywhere.

(If I'm wrong, and you do have code that saves the output of the first code block, please share it, and I'll try to help troubleshoot more!)

0 Karma

Communicator

Yes, I think you are exactly right. And the fundamental part I'm missing is HOW you save the results from the first search and send them to the second. Dashboard XML posted above.

0 Karma