Splunk Search

Nested eval command in search

AKG1_old1
Builder

Hi,

I have to use nested eval command in my search query.

Requirement:

if isnotnull(GC_TIMESTAMP) then
set _time = GC_TIMESTAMP
else if ($Log_or_live$=="Log")
set _time = $mlc_log_start_time$ + relative_time
else
set _time = _time

I tried to make it working but its malformed. Please help to correct syntax.

eval _time=if(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP,(if($Log_or_live$=="Log"),$mlc_log_start_time$ + relative_time,_time)))

ryhluc01
Communicator

Please select an answer to your question.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi
Can you please try this one??

| eval Log_or_live="$Log_or_live$",mlc_log_start_time=tonumber("$mlc_log_start_time$") , _time=case(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP,Log_or_live=="Log",mlc_log_start_time + relative_time,1=1,_time)

I have kept token value in the field and used in case.

Thanks

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI

I have created Sample dashboard for you which will resolve "Waiting For input" issue.

Here I have used sample data and searches. Here, I don't much information about your dashboard So I use Dropdown for Log_or_live token and text box for mlc_log_start_time token.

XML

<form script="my.js">
  <label>Dashboard Dynamic Token</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_Log_or_live" id="tkn_Log_or_live_id">
      <label>Log_or_live</label>
      <choice value="Log">Log</choice>
      <choice value="Live">Live</choice>
    </input>
    <input type="text" token="tkn_mlc_log_start_time" id="tkn_mlc_log_start_time_id">
      <label>mlc_log_start_time</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>
          $Log_or_live$
        </title>
        <search>
          <query>| makeresults  | eval Log_or_live="$Log_or_live$",mlc_log_start_time=tonumber("$mlc_log_start_time$") , _time=case(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP,Log_or_live=="Log",mlc_log_start_time + relative_time,1=1,_time)</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

my.js

require([
     'underscore',
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/tableview',
     'splunkjs/mvc/simplexml/ready!'
 ], function(_, $, mvc, TableView) {
     // Access the "default" token model
     var defaultTokenModel = mvc.Components.get('default');
     var submittedTokens = mvc.Components.get('submitted');


    var tkn_Log_or_live_id = mvc.Components.get('tkn_Log_or_live_id');
    var tkn_mlc_log_start_time_id = mvc.Components.get('tkn_mlc_log_start_time_id');

    tkn_Log_or_live_id.on('change', function(value) 
    {
      console.log("tkn_Log_or_live_id",value)
      if(value!=undefined && value!="")
      {
        defaultTokenModel.set("Log_or_live", value);
      }
      else {
        defaultTokenModel.set("Log_or_live", "NoValue");
      }
      submittedTokens.set(defaultTokenModel.toJSON());
    });

    tkn_mlc_log_start_time_id.on('change', function(value)  {
      console.log("tkn_mlc_log_start_time_id",value)
      if(value!=undefined && value!="")
      {
        defaultTokenModel.set("mlc_log_start_time", value);
      }
      else {
        defaultTokenModel.set("mlc_log_start_time", 0);
      }
      submittedTokens.set(defaultTokenModel.toJSON());

    });

    defaultTokenModel.set("Log_or_live", "NoValue");
    defaultTokenModel.set("mlc_log_start_time", 0);
    submittedTokens.set(defaultTokenModel.toJSON());


 });

AKG1_old1
Builder

sorry, I missed your answer earlier. Thanks for help. I am not willing to use java script on my dashboard as its already too complex and we use to make changes very frequently so its difficult to maintain. Anyway, Thank you so much for your suggestions.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

We have case function for that.

...| eval _time=case(isnotnull(GC_TIMESTAMP),GC_TIMESTAMP, "$Log_or_live$"=="Log",$mlc_log_start_time$ + relative_time,1=1,_time)

AKG1_old1
Builder

Thank you. its working fine with one exception. if value of $Log_or_live$ or $mlc_log_start_time$ is not set query is waiting for input. even if case(isnotnull(GC_TIMESTAMP is true.

Is it possible to execute query if some token is not set in search query ?

somesoni2
SplunkTrust
SplunkTrust

Nopes. If a token is used in the search, it should be set in order to run the search. How are you populating those tokens? May be you can set some default values for them?

AKG1_old1
Builder

I tried that but setting default value for $mlc_log_start_time$ will drive my dashboard twice in case when its value is needed. my dashboard depends on value of this token.

Say I set its value 0 by default. then it generate my dashboard and when its actual value is set it redrive dashboard again.

PS: It take time to set the value of $mlc_log_start_time$ as its drived from another query which is not very fast.

0 Karma

niketn
Legend

@agoyal, you use depends attribute with the two tokens for the panel where the tokens are supposed to be used. That way the panel will not display until value is set. On top of depends you can also use rejects attribute to show some HTML content when the token is not set.

You can check out the Null Search Swapper example in Splunk Dashboard Examples app for depends and rejects to work. Following is an example:

<panel depends="$Log_or_live$,$mlc_log_start_time$">
   .... 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...