Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

pass case statement result to search string

k_harini
Communicator
‎04-04-2017 01:06 AM

I have tokens coming from drilldown
index="test" | eval res_time = case( "PRIORITY CODE" == "1" ,"Resolution Time <=120",1=1,"Resolution Time <2880")| table res_time

Here res_time here generates value. But i want to pass this to search and retrieve the table. if i pass this to search its not working. May be due to quotes issue. Not sure.. Please help

Thanks,
Harini

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎04-04-2017 02:39 PM

If you are wanting to "pass this to the search", then you have to pass values that will actually tell the search what events to search for.

In this case, you need to pass "PRIORITY CODE" = "1" or pass "PRIORITY CODE" != "1".

0 Karma
Reply

woodcock
Esteemed Legend
‎04-04-2017 01:30 PM

Your references to the field names with spaces is wrong which is why I try to avoid field names with spaces until the end and then rename them with | rename Field_with_spaces AS "Field with spaces".

In any case, try this:

index="test" | eval res_time = case( 'PRIORITY CODE' == 1, 'Resolution Time' <= 120, true(), 'Resolution Time' < 2880) | table res_time

OR:

index="test" | eval res_time = case( $PRIORITY CODE$ == 1, $Resolution Time$ <= 120, true(), $Resolution Time$ < 2880) | table res_time

But that will need adjustment if saved into a dashboard panel.

0 Karma
Reply

k_harini
Communicator
‎04-05-2017 09:48 AM

Thanks woodcock. I will try this. Actually I get result with resolution time>120, resolution time<240..etc. But when I pass to search I have to pass only resolution time in quotes for it to work.. That I could not achieve. Will try this.

0 Karma
Reply

k_harini
Communicator
‎04-04-2017 01:49 AM

It is there. But I cannot call straight forward field. I need to invoke in this way. Is it possible

0 Karma
Reply

niketn
Legend
‎04-04-2017 01:47 AM

[Updated Answer] Since your search filter is being set on clicking of a cell in a table, one of the ways to set required search query filter would be to perform eval at the table drilldown event itself.

    <drilldown>
      <eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
    </drilldown>

This should set the token res_time to either "Resolution Time<120" or "Resolution Time>2880" depending on your PRIORITY CODE value is 1 or not.

Your current query seems to be incorrect anyways. If you want to perform search on the result/s of your main search you can use the map command. Following is a run anywhere search

| makeresults
| eval testValue=0
| eval searchQuery=case(testValue=="0","INFO",testValue=="1","WARN",testValue=="2","ERROR",1==1,"*")
| table searchQuery
| map search="search index=_internal sourcetype=splunkd log_level=\"$searchQuery$\"| head 1| eval myFilter="\$searchQuery$\"| table _time myFilter _raw"

You can also refer to my recent answer on the same line... https://answers.splunk.com/answers/515546/how-to-create-dynamic-commands-in-search.html#answer-51790...

Splunk Documentation on map command for your reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

k_harini
Communicator
‎04-04-2017 01:57 AM

Thanks. Will try. My current query pulls Resolution Time comparison. But If I pass in search I get no results found

0 Karma
Reply

niketn
Legend
‎04-04-2017 01:43 PM

What is the search where you want to use the res_time field?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

k_harini
Communicator
‎04-05-2017 09:50 AM

I have to search the events and pull only those records that fall into resolution comparison criteria. That criteria will come from another table cell drill down. It's kind of sla calculation based on this time in each cell..

0 Karma
Reply

niketn
Legend
‎04-06-2017 09:29 PM

@k_harini... I have updated my answer with one of the approaches to use eval to set token during table drilldown. You can get your search filter query through case statement in eval.

<eval token="res_time">case($row.PRIORITY CODE$=="1","Resolution Time&lt;=120",true(),"Resolution Time&gt;2880")</eval>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎04-08-2017 03:28 AM

@k_harini, please try out and confirm whether you were able to proceed or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

gfreitas
Builder
‎04-04-2017 01:38 AM

Do you have this field "Resolution Time"? If you want to calculate it, "Resolution Time" <=120 and "Resolution Time" <2880

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top