Splunk Search

Simple math and string concatenation

andreafebbo
Communicator

Hi
I have this dashboard:

<form>
  <label>Prova_selettore_dinamico Clona v1</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="period" searchWhenChanged="true">
      <label>Intervallo</label>
      <choice value="1">Last day</choice>
      <choice value="7">Last 7 days</choice>
      <choice value="30">Last 30 days</choice>
      <choice value="365">Last 12 months</choice>
      <default>30</default>
      <initialValue>-30d</initialValue>
      <prefix>-</prefix>
      <suffix>d</suffix>
    </input>
  </fieldset>
  CODE
          <earliest>$period$</earliest>
          <latest>now</latest>
   CODE

The token $period$ is set, for instance, at -30d (and I use this token i the query so i need it like this).

Now what I also need is the $period$ to double the period, for example: -60d

This implies that i have to extract the 30 from the string "-30d", double it and put it back between the "-" and the "d".

Another solution i thought is to set 2 values for every choice of the imput, like:

 <choice value="30" value2="60">Last 30 days</choice>

But this seems to be not possible.

Please help me.


I tried to integrate your code with my and this came our:

<form>
  <label>Prova_selettore_dinamico Clona v4</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="t" searchWhenChanged="true">
      <label>Timerange</label>
      <search>
        <query>| makeresults
               | eval x="Last day    |-1d@d  |-2d@d;
                         Last 7 days |-7d@d  |-14d@d;
                         Last 30 days|-30d@d |-60d@d"
               | makemv x delim=";"
               | mvexpand x
               | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)"
               | table label value doublevalue</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <change>
        <set token="double">$row.doublevalue$</set>
        <set token="nor">$row.value$</set>
      </change>
      <default>dfsdfhsdgh</default>
      <initialValue>-1d@d</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>BASE QUERY   
| eval when=if(_time &gt; relative_time(now(), "$nor$"), "Current_Week", "Prev_Week")  
| stats count as events by  source when  
| chart sum(events) by source, when  
| eval perc = (Current_Week-Prev_Week)/Prev_Week 
| eval trend = case(perc < -0.3, "basso", (perc >= -0.3 and perc <= 0.3 ), "medio", perc > 0.3, "alto") 
| table source, Current_Week, Prev_Week, perc, trend</query>
          <earliest>$double$</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Everything seems to work except one thing.
In the second row of the second query is written:

| eval when=if(_time &gt; relative_time(now(), "$nor$"), "Current_Week", "Prev_Week") 

and for some reason it put everything in Prev_Week.
instead if I write this line like this:

| eval when=if(_time > relative_time(now(), "-7d"), "Current_Week", "Prev_Week") 

then everything works, but of course is not dynamic.

Can you help me understand why?

Thank you

1 Solution

sundareshr
Legend

What you will need to do is create a dynamic query that generates a table with 3 columns, label, value and value2. Bind the results to the dropdown, and set a token on change event to pick the "double" value. Here is a "run anywhere" sample that will give you an idea on how this can be done.

<form>
  <label>Test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="t">
      <label>Timerange</label>
      <search>
        <query>| makeresults | eval x="Last day|-1d@d|-2d@d;Last 7 days|-7d@d|-14d@d;Last 30 days|-30d@d|-60d@d" | makemv x delim=";" | mvexpand x | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)" | table label value doublevalue</query>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <change>
        <set token="double">$row.doublevalue$</set>
      </change>  
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal earliest=$double$ | stats earliest(_time) as first latest(_time) as last | eval first=strftime(first, "%x %X") | eval last=strftime(last, "%x %X") | eval double="$double$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>

View solution in original post

sundareshr
Legend

What you will need to do is create a dynamic query that generates a table with 3 columns, label, value and value2. Bind the results to the dropdown, and set a token on change event to pick the "double" value. Here is a "run anywhere" sample that will give you an idea on how this can be done.

<form>
  <label>Test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="t">
      <label>Timerange</label>
      <search>
        <query>| makeresults | eval x="Last day|-1d@d|-2d@d;Last 7 days|-7d@d|-14d@d;Last 30 days|-30d@d|-60d@d" | makemv x delim=";" | mvexpand x | rex field=x "(?<label>[^\|]+)\|(?<value>[^\|]+)\|(?<doublevalue>.*)" | table label value doublevalue</query>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <change>
        <set token="double">$row.doublevalue$</set>
      </change>  
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal earliest=$double$ | stats earliest(_time) as first latest(_time) as last | eval first=strftime(first, "%x %X") | eval last=strftime(last, "%x %X") | eval double="$double$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>

andreafebbo
Communicator
0 Karma

sundareshr
Legend

Please do not update the original question. Add your feedback/comments in the comments section. Its become very difficult to track.

Now, re: your issue. You dont need the "nor" token. You should use $t$ for it. So, your query should look like this

| eval when=if(_time > relative_time(now(), "$t$"), "Current_Week", "Prev_Week") 
0 Karma

andreafebbo
Communicator

I did it and it works in the same way, still putting everything in the prev_week. 😞

0 Karma

sundareshr
Legend

Add this just below the <panel> tag.

<title>value=$t$; doublevalue=$double$</title>.

Do the values look right when you run it?

0 Karma

andreafebbo
Communicator

yes, the numbers look right:
value=-7d@d ; doublevalue=-14d@d
but all the data keep going into the prev_week.

And still if i change from "$t$" to "-14d", which should be the exact same value, then it works.

😞

0 Karma

sundareshr
Legend

remove the quotes around $t$.

0 Karma

andreafebbo
Communicator

if I remove the quotes around $t$ it gives me the following error:

Error in 'eval' command: The expression is malformed. Expected ).

I think it is because that $t$ is inside the query.

0 Karma

sundareshr
Legend

In the bottom left corner of the panel, there is a magnifying glass. Click on that, see what you get in the search

0 Karma

andreafebbo
Communicator

i get this:

eval when=if(_time > relative_time( now(), "-7d@d  " )

the problem is the space after the d.

so i changed form this

Last 7 days |-7d@d  |-14d@d;

to this

Last 7 days |-7d@d|-14d@d;

and now seems to work

Thank you a lot 🙂

0 Karma

sundareshr
Legend

@andreafebbo Can I close out the other question as a duplicate of this one?

0 Karma

andreafebbo
Communicator

I needed for the same dashboard but the other does something broader so it would be nice to find a solution, but just for academical ends 😛

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...