Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

why is eval not taking value of Parameter from ConvertToIntention?

tkadale
Path Finder
‎05-10-2011 03:40 AM

I want to show the Drill Down View. When I click on Parent graph, compound string is passed as Parameter to ConvertToIntention. I want to split the clicked value in underlying query. The query is as follows.

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| eval host_split=(split($host_if$,":")) 
| eval host_new=(mvindex(host_split,0)) 
| search host=host_new 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f

But when I use $host_if$ which is my parameter from ConvertToIntention, in the eval function it gives following error

PARSER: Applying intentions failed Error in 'eval' command: The expression is malformed. Expected ).

How Can I use the value from ConvertToIntention in eval function, as I have to split that value and get the required parameter for my Dril down view??

Thanks In Advance!

Reply

bwooden
Splunk Employee
Splunk Employee
‎05-11-2011 12:01 AM

As you've verified, the split can be achieved by quoting the intention.

You should also be able to filter based on value of host_new, by switching search to where...

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| eval host_split=(split("$host_if$",":")) 
| eval host_new=(mvindex(host_split,0)) 
| where host=host_new 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f

Since where and eval use the same functions, you can actually combine those evals with the where...

index="tougou" sourcetype="network" 
| fields  host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second 
| where host=mvindex(split("$host_if$",":"),0) 
| timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second)  by host limit=50 useother=f
0 Karma
Reply

tkadale
Path Finder
‎05-10-2011 09:07 PM

In above query my view is by network interfaces. but I want to filter the results by host which is stored in field host_new.
search host="host_new" does not work before timechart command. How to assign value of host_new as host to filter the results.

0 Karma
Reply

tkadale
Path Finder
‎05-10-2011 09:03 PM

I have modified the query. I am getting the split value. but I want that value to assign to host before timechart.
The query is as follows

index="tougou" sourcetype="network" | fields host,network_interface_name, bytes_sent_per_second, Bytes_Received_Per_Second | eval host_value="$host_if$" | eval host_split=(split(host_value,":")) | eval host_new=(mvindex(host_split,0)) | timechart max(bytes_sent_per_second), max(Bytes_Received_Per_Second) by network_interface_name limit=50 useother=f

0 Karma
Reply

hazekamp
Builder
‎05-10-2011 04:08 PM

Can you post your XML w/ the search and ConvertToIntention

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎05-10-2011 09:05 AM

Is that the case if you quote "$host_if$" ?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...