Eval variable doesnt work when trying to search fo...

chaninphx · ‎06-30-2017

Hi I'm new to Splunk and was wondering why this command does not work, and if there is a way to fix it. I would like to use a different string to search if $drop_name$ is equal to description. This is what I'm trying before but this search will not bring up any results.

Right now txt_name is the issue.

Here is also my xml code

Indexes and Sourcetypes

This dashboard is intended to show all of the Indexes and Sourcetypes in the Splunk environment.

The Indexes panel shows all of the indexes available for storing events.

The List of Sourcetypes by Index panel lists all the current sourcetypes, arranged by Index.

</html>


<table>
  <title>Indexes</title>
  <search>
      <query>
        | inputlookup index_lookup.csv | table index description
      </query> 
      <earliest>-15m</earliest>
      <latest>now</latest>
  </search>
  <option name="wrap">true</option>
  <option name="rowNumbers">false</option>
  <option name="dataOverlayMode">none</option>
  <option name="drilldown">none</option>
  <option name="count">100</option>
</table>


<panel>
  <title>Search for Indexes and Sourcetypes</title>
  <input type="text" token="text_name">
    <default></default>
    <label>User Search</label>
  </input>
  <input type="dropdown" token="drop_name">
    <label>Search Choices</label>
    <default>sourcetype</default>
    <choice value="sourcetype">sourcetype</choice>
    <choice value="index">index</choice>
    <choice value="description">description</choice>
    <showClearButton>false</showClearButton>
  </input>
  <html>
    <button type="button">Search</button>
    <button type="button">Reset</button>
  </html>
</panel>


<table>
  <title>List of Sourcetypes by Index</title>
  <search>
    <query>| inputlookup sourcetypes_raw.csv | lookup sourcetype_lookup.csv sourcetype OUTPUT description | mvcombine sourcetype | table index sourcetype description | sort index |  eval txt_name=if("$drop_name$"=="description", "*$textname$*", "$text_name$*")  | search $drop_name$=txt_name
    </query>
    <earliest>-15m</earliest> 
    <latest>now</latest>
  </search>
  <option name="wrap">true</option>
  <option name="rowNumbers">false</option>
  <option name="dataOverlayMode">none</option>
  <option name="drilldown">none</option>
  <option name="count">50</option>
</table>

cmerriman · ‎06-30-2017

Try to emcompass them in quotes.

...|eval txt_name=if($drop_name|s$="desrciption", "$text_name$", "*$text_name$") | search $drop_name|s$="txt_name"

chaninphx · ‎06-30-2017

It still says search is waiting for input.

cmerriman · ‎06-30-2017

This is in a dashboard where there is an input with a token $drop_name$? If so, is there a submit button? When the search is waiting for an input, it generally means that the token value generated from the input hasn't been submitted. One way to debug is to add script="tokens.js" in the form node at the top of the dashboard.

chaninphx · ‎06-30-2017

I guess the easier question is how can I run different searches based off of the condition that $drop_name$=="description"?

maciep · ‎07-01-2017

can you share your dashboard xml here? And maybe describe what you're trying to accomplish? It might be easier for us to help if we see how you are defining these tokens and what they represent.

Typically, I think you would have the label of your dropdown be what the user sees and then the value of the dropdown be what you want to use in your search. But I'm not quite sure what text_name is or represents here, so not really sure where that comes into play.

Eval variable doesnt work when trying to search for results

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!