Splunk Search

why is eval not taking value of Parameter from ConvertToIntention?

Path Finder

I want to show the Drill Down View. When I click on Parent graph, compound string is passed as Parameter to ConvertToIntention. I want to split the clicked value in underlying query. The query is as follows.

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| eval host_split=(split($host_if$,":")) 
| eval host_new=(mvindex(host_split,0)) 
| search host=host_new 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f

But when I use $host_if$ which is my parameter from ConvertToIntention, in the eval function it gives following error

PARSER: Applying intentions failed Error in 'eval' command: The expression is malformed. Expected ).

How Can I use the value from ConvertToIntention in eval function, as I have to split that value and get the required parameter for my Dril down view??

Thanks In Advance!

Splunk Employee
Splunk Employee

As you've verified, the split can be achieved by quoting the intention.

You should also be able to filter based on value of host_new, by switching search to where...

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| eval host_split=(split("$host_if$",":")) 
| eval host_new=(mvindex(host_split,0)) 
| where host=host_new 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f

Since where and eval use the same functions, you can actually combine those evals with the where...

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| where host=mvindex(split("$host_if$",":"),0) 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f
0 Karma

Path Finder

In above query my view is by network interfaces. but I want to filter the results by host which is stored in field hostnew.
search host="host
new" does not work before timechart command. How to assign value of host_new as host to filter the results.

0 Karma

Path Finder

I have modified the query. I am getting the split value. but I want that value to assign to host before timechart.
The query is as follows

index="tougou" sourcetype="network" | fields host,networkinterfacename, bytessentpersecond, BytesReceivedPerSecond | eval hostvalue="$hostif$" | eval hostsplit=(split(hostvalue,":")) | eval hostnew=(mvindex(hostsplit,0)) | timechart max(bytessentpersecond), max(BytesReceivedPerSecond) by networkinterfacename limit=50 useother=f

0 Karma

Builder

Can you post your XML w/ the search and ConvertToIntention

0 Karma

Splunk Employee
Splunk Employee

Is that the case if you quote "$host_if$" ?

0 Karma