Splunk Search

why is eval not taking value of Parameter from ConvertToIntention?

tkadale
Path Finder

I want to show the Drill Down View. When I click on Parent graph, compound string is passed as Parameter to ConvertToIntention. I want to split the clicked value in underlying query. The query is as follows.

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| eval host_split=(split($host_if$,":")) 
| eval host_new=(mvindex(host_split,0)) 
| search host=host_new 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f

But when I use $host_if$ which is my parameter from ConvertToIntention, in the eval function it gives following error

PARSER: Applying intentions failed Error in 'eval' command: The expression is malformed. Expected ).

How Can I use the value from ConvertToIntention in eval function, as I have to split that value and get the required parameter for my Dril down view??

Thanks In Advance!

bwooden
Splunk Employee
Splunk Employee

As you've verified, the split can be achieved by quoting the intention.

You should also be able to filter based on value of host_new, by switching search to where...

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| eval host_split=(split("$host_if$",":")) 
| eval host_new=(mvindex(host_split,0)) 
| where host=host_new 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f

Since where and eval use the same functions, you can actually combine those evals with the where...

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| where host=mvindex(split("$host_if$",":"),0) 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f
0 Karma

tkadale
Path Finder

In above query my view is by network interfaces. but I want to filter the results by host which is stored in field host_new.
search host="host_new" does not work before timechart command. How to assign value of host_new as host to filter the results.

0 Karma

tkadale
Path Finder

I have modified the query. I am getting the split value. but I want that value to assign to host before timechart.
The query is as follows

index="tougou" sourcetype="network" | fields host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second | eval host_value="$host_if$" | eval host_split=(split(host_value,":")) | eval host_new=(mvindex(host_split,0)) | timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second) by network_interface_name limit=50 useother=f

0 Karma

hazekamp
Builder

Can you post your XML w/ the search and ConvertToIntention

0 Karma

bwooden
Splunk Employee
Splunk Employee

Is that the case if you quote "$host_if$" ?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...