SPLUNK EVAL CASE LIKE CODE
| makemv reportname Report Name: $tokReport$įirst Report Name: Can you add a code to test whether condition is correct? like place the following code inside condition block: $click.name2$ Also | eval reportname="report1,report2,report3,report4,report5"
| eval reportName=mvindex(split(reportname,","),0) On clicking any particular report the tokens set are Multivalued reportname, Clicked report name and first report name.įollowing is the Simple XML Code for the dashboard snippet provided above:
There is a multi-valued field reportname. Please let me know if you would be interested in this instead of running the dummy search based approach.įollowing is a run anywhere dashboard example based on first approach as defined above. Then set the token for first report name using search event handlers or, which can access the fields (single value or first row value) using default token $result.fieldname$.Ģ) Use Simple XML JavaScript extension to extract only the first field value of a multi-valued field. I missed the point that your second eval to always extract the first value of the multivalued field was not working.įollowing are the two options you have to handle this:ġ) Run a dummy search based on multivalues token set during drilldown and extract the required position value (i.e. [Updated while my previous answer was more in terms on how event handler can only have field attribute in the block and not match. Report: $rpt_nm_tok$ - Y Axis: $y_axis_tok$ - $new_token$ Type1_tok=$type1_tok$ Report: $rpt_nm_tok$ - Y Axis: $y_axis_tok$ - $new_token$ Mvindex($row.ReportName$, $mvfind_token$) Name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$, mvfind_token=$mvfind_token$ Name=$click.name$, name2=$click.name2$, value=$click.value$, value2=$click.value2$, User=$row.User$, Report=$row.ReportName$, count=$row.Count by Report$, new_token=$new_token$ | rename COMMENT AS "REMOVE THESE 3 LINES!"
| rename COMMENT AS "Everything above generates sample event data everything below is optimized (it was a disaster before)."Ĭount(rsp_tm30000 AND rsp_tm60000 AND rsp_tm300000) AS cntGRT300S BY rpt_nm, usr OK, now that you have shown us your entire dashbaord, it is solvable (it was actually FAR trickier than I thought that it would be) try this (TAKE NOTE of the search optimizations, too):
0 kommentar(er)
