Splunk Search

How to use an EVAL value to feed search statement?

jcioffari
Explorer

I'm trying to establish a field value or variable to be used in a subsequent search. I've stripped out the actual use case to protect data but something like this.

TYPE is a field and has a token value from a dropdown filter in UI. I'm trying to change the value of the token to have a different suffix (RED vs BLUE) and then have the value feed a subsequent search.

| inputlookup xyz.csv
| eval VAR=if(TYPE like "%BLUE",substr(TYPE,1,len(TYPE)-4) +"_RED", null) or if(TYPE like "%RED",substr(TYPE,1,len(TYPE)-3) +"_BLUE",null) 
|search TYPE = VAR
| ...

For example if TYPE selected is "HONDA_RED" then I want to change it to "HONDA_BLUE" before starting search.
I keep getting no values returned though.

Tags (2)
0 Karma

jcioffari
Explorer

Thanks i'm getting closer. Now what's happenig is the first time I select a token value the below condition returns the proper results in my chart. However, when I then select a different token value, the chart using $CarTypeColor3$ (only 1 chart out of 4 on the dashboard use this new variable) continues to hold onto the original value and doesn't refresh but all the other charts tied to $CarType_Color$ do refresh properly. It's like the $CarTypeColor3$ variable is getting fixed and the only way to clear it is click edit and save the dashboard again. A full close out and reload doesn't work.

  <label>CarType_Color</label>
  <fieldForLabel>CarType</fieldForLabel>
  <fieldForValue>CarType</fieldForValue>
  <search>
    <query>| inputlookup CarCompare.csv | fields CarType | dedup CarType | sort CarType</query>
  </search>
  <change>
    <set token="CarTypeColor2">$CarType_Color$</set>
    <eval token="CarTypeColor3">case(like($CarTypeColor2$,"%BLUE"),substr($CarTypeColor2$,1,len($CarTypeColor2$)-4) +"RED", like($CarTypeColor2$,"%RED"),substr($CarTypeColor2$,1,len($CarTypeColor2$)-3) +"BLUE", true(),"N/A")</eval>
  </change>
</input>
0 Karma

woodcock
Esteemed Legend

You need to use the drop-down token referenced to create an additional EVAL-based token in the XML and then use that new token.

0 Karma

niketn
Legend

@jcioffari based on the provided details, try the following search

| inputlookup xyz.csv
| eval MAKE=mvindex(split(TYPE,"_"),0)
| eval VAR=case(match(TYPE,"RED"),MAKE."_BLUE",
                     match(TYPE,"BLUE"),MAKE."_RED",
                     true(),"MAKE_UNKNOWN")
| fields - MAKE

PS: However, based on the details provided |search TYPE = VAR is never true hence there will be no results returned.
Also, use of null in eval to determine VAR is not clear, nor it is described in your problem statement.

Do try out the following run anywhere search example to test and confirm whether this matches your requirement:

| makeresults
| fields - _time
| eval TYPE="TOYOTA_BLUE,HONDA_RED,NISSAN_GREY"
| makemv TYPE delim=","
| mvexpand TYPE 
| eval MAKE=mvindex(split(TYPE,"_"),0)
| eval TYPE_NEW=case(match(TYPE,"RED"),MAKE."_BLUE",
                     match(TYPE,"BLUE"),MAKE."_RED",
                     true(),"MAKE_UNKNOWN")

Let us know if you need further assistance!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jcioffari
Explorer

Sorry, the scrubed data example I provided wasn't clear enough. Imagine that there are dozens of car types that are blue and red (among other colors) in my inputlookup file. What I'm interested in finding is when one specific car type and color is selected, like "HONDA_BLUE", instead of returning all the inputllookup csv fields with information on "HONDA_BLUE", I want to convert that input to be "HONDA_RED" and retrieve all the fields in the lookup file where cartype = HONDA_RED. So the case statement to convert the to RED or BLUE looks good, but what I can't seem to do is feed the converted cartype value into a new search to retreive the right fields.

As you pointed out there is no need for the null. It can just be "N/A".

0 Karma

niketn
Legend

@jcioffari try the following example (although the purpose of converting RED to BLUE is not clear as it seems misleadingc-"select something, show something else". )

<form>
  <label>Vehicle Color Make</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokMake" searchWhenChanged="true">
      <label>Vehicle Make</label>
      <choice value="HONDA">HONDA</choice>
      <choice value="NISSAN">NISSAN</choice>
      <choice value="TOYOTA">TOYOTA</choice>
    </input>
    <input type="dropdown" token="tokColor" searchWhenChanged="true">
      <label>Veicle Color</label>
      <choice value="RED">RED</choice>
      <choice value="BLUE">BLUE</choice>
      <choice value="GREY">GREY</choice>
      <change>
        <condition value="RED">
          <set token="tokNewColor">BLUE</set>
        </condition>
        <condition>
          <set token="tokNewColor">$value$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup xyz.csv where TYPE="$tokMake$_$tokNewColor$"</query>
        </search>
      </table>
    </panel>
  </row>
</form>

PS: You can populate models and colors from your lookup. I have hard-coded for the simplicity of the example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...