Hello.
I have achieved result table using sort on a parameter. Here I am directly giving the top 20 highest results.
index=a sourcetype=b host=* earliest=-6h | sort 0 host time| streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | sort -velocity | head 20
Now the task that I want to achieve is that for an text input field I want to read the input as a number and set this as a threshold and only display the top 20 results crossing the threshold only.
I had tried
index=a sourcetype=b host=* earliest=-6h | sort 0 host time | streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | convert num($myinput$) as vthold | where velocity >= vthold |sort -velocity | head 20
But this is not narrowing down the results. I suspet that is because Splunk is reading it as a text. Any suggestions how I could achieve the same.
@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.
Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.
<fieldset submitButton="false">
<input type="text" token="selVelThold">
<label>Add threshold</label>
<change>
<eval token="tokVelThold">case(match(value, "^[0-9]+$"), $value$)</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<title>tokVelThold: $tokVelThold$</title>
<table depends="$tokVelThold$">
<search>
<query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity >= vthold
| sort -velocity
| head 20</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through
| eval velThold=$selVelThold$
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity >= vthold
| sort -velocity
| head 20
@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.
Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.
<fieldset submitButton="false">
<input type="text" token="selVelThold">
<label>Add threshold</label>
<change>
<eval token="tokVelThold">case(match(value, "^[0-9]+$"), $value$)</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<title>tokVelThold: $tokVelThold$</title>
<table depends="$tokVelThold$">
<search>
<query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity >= vthold
| sort -velocity
| head 20</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through
| eval velThold=$selVelThold$
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity >= vthold
| sort -velocity
| head 20
The alternative worked well for the case. Thanks a lot.
Hi @AshimaE, I have converted my comment to Answer, please Accept if it helped. In the Regular Expression you can handle decimal as well (if you want to perform floating number validation).
If values in $myinput$ can be interpreted as numbers, it will be used as a number. Have you tried'| where velocity >=$myinput$
instead? There should be no convert needed.
Yes I did try that. No narrowing down was there.. Also I need to consider decimal point numbers as my input as well.