Solved: conditional eval ResultsValueSetter

sbsbb · ‎04-11-2013

I'm trying to do this

You can do this using conditional eval command in the search language to
create one of N different search
language strings, and then a
ResultsValueSetter to pull down that
string-valued field, and plug it into
your search using another Search
module.

I've my main search, and a table
From that table I make a postprocess to build a $varSearch$ with the search String

My Problem is my postprocess seems not to work as desired :
eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")

This gives no results, so I'm not able to use it i the underlying search... ?

sideview · ‎04-11-2013

OK. This can work, you just have to see the search expression from splunk's perspective after the $foo$ token gets filled in.

eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")

will go up as

eval varSearch=case(test=="test","AA",H_message_type=="Ctest","ZZ")

This is testing for when the value of the test field is equal to the string test. Change it to

eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")

and what you'll be sending to splunk will look like:

eval varSearch=case("test"=="test","AA",H_message_type=="Ctest","ZZ")

Splunk may raise an eyebrow at your silly behaviour, but it will evaluate the condition to true at least. It's a strange trick but not an uncommon one when all you need is a little conditional help from the search language.

View solution in original post

sideview · ‎04-11-2013

OK. This can work, you just have to see the search expression from splunk's perspective after the $foo$ token gets filled in.

eval varSearch=case($row.fields.H_message_type$=="test","AA",H_message_type=="Ctest","ZZ")

will go up as

eval varSearch=case(test=="test","AA",H_message_type=="Ctest","ZZ")

This is testing for when the value of the test field is equal to the string test. Change it to

eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")

and what you'll be sending to splunk will look like:

eval varSearch=case("test"=="test","AA",H_message_type=="Ctest","ZZ")

Splunk may raise an eyebrow at your silly behaviour, but it will evaluate the condition to true at least. It's a strange trick but not an uncommon one when all you need is a little conditional help from the search language.

sbsbb · ‎04-15-2013

Now I understand the meaning of your workaround, many thanks !

sideview · ‎04-11-2013

Again, I acknowledge that this is both weird and kind of silly. I'm working on a simple module to provide this core switching use case, so there will be a better way soon.

sideview · ‎04-11-2013

eval is a command, so there has to be a "|" character in front of it. Can you clarify what you mean by "search eval.." It sounds like you're using the search command, which will simply search for these strings and thus return no results.

try this:

| stats count | fields - count | eval varSearch=case("$row.fields.H_message_type$"=="test","AA",H_message_type=="Ctest","ZZ")

it looks bizarre because it is. | stats count creates one row with a 'count' field equal to 0. the fields clause then removes the count field leaving a row and thus a blank slate for your eval...

sbsbb · ‎04-11-2013

thanks for that.
I have still the problem that a "search eval..." return no row, how can I change this ?

In fact, it is probably the same, as when I want to make an spath on a $foo$ variable, I don't know either how to do it !

conditional eval ResultsValueSetter

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes