Solved: How do you set a token in a form that is dependent...

BlueSocket · ‎12-16-2016

I have a drilldown form that I want to call from another report, using the classic link functionality, such as:

/app/demo/drilldown?earliest=0&latest=&SessionValue=Splunk

If the SessionValue is Microsoft, then I want to change the query to use

| search Company = Microsoft

However, If the SessionValue is NOT Microsoft, then I want to set the search as:

| search Company != Microsoft

In my dataset, I will have lots of other companies, so I cannot just say something like:

| search Company = $SessionValue$

Here is a snippet of the report:

<form>
  <label>Company Drilldown</label>
    <!-- use predefined input tokens to set -->
    <!-- tokens for the selected label and value -->
    <condition match="'$Company$' == &quot;Microsoft&quot;">
      <set token="company_searchterm">Company = "Microsoft"</set>
    </condition>
    <condition match="'$Company$' != &quot;Microsoft&quot;">
      <set token="company_searchterm">Company != "Microsoft"</set>
    </condition>
  <row>

    <panel>
      <chart>
        <title>Product Sales for the $Product$ product by $Company$, split by Cost -  $company_searchterm$</title>
        <search>
          <query>index=main sourcetype=syslogs Company="*" | fields Company, Cost | search $company_searchterm$ | chart sum(Cost) by Company</query>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

I am bashing my head against a brick wall at the moment and I don't know what I am doing wrong!

somesoni2 · ‎12-16-2016

Give this a try

Updated

 <form>
   <label>Company Drilldown</label>         
   <search>
    <query>
      | makeresults | eval searchterm=if("$Company$"="Microsoft","Company = \"Microsoft\"","Company != \"Microsoft\"") | table searchterm
    </query>
   <finalized>
   <condition>
         <set token="company_searchterm">$result.searchterm$</set>
    </finalized>       
   </done>
  </search>
   <row>
...
...
Rest of the form code>
....
....

View solution in original post

somesoni2 · ‎12-16-2016

Give this a try

Updated

 <form>
   <label>Company Drilldown</label>         
   <search>
    <query>
      | makeresults | eval searchterm=if("$Company$"="Microsoft","Company = \"Microsoft\"","Company != \"Microsoft\"") | table searchterm
    </query>
   <finalized>
   <condition>
         <set token="company_searchterm">$result.searchterm$</set>
    </finalized>       
   </done>
  </search>
   <row>
...
...
Rest of the form code>
....
....

BlueSocket · ‎12-19-2016

I downvoted this post because hmm. i tried this by executing it and when i checked the value of the $company_searchterm$, i see that it is not set to company = "microsoft", but instead, it is set to "$row.searchterm$", which does not search properly.

is there a way of getting the "set token" tag to evaluate the value in the $row.searchterm$, rather than take it as a literal?

aaraneta_splunk · ‎12-19-2016

@BlueSocket - I saw that you down voted somesoni's initial answer (but then later up voted him). Please try to reserve downvoting for suggestions or solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. Providing a comment with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.

Read how voting etiquette works in Splunk Answers:  https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

Thank you.

BlueSocket · ‎12-20-2016

I understand. However, I did not want others to pick that up as an answer and run with it and get into trouble themselves, especially as someone else had already marked it as an answer (and the corrections were subtle when they were applied). I also attached a reason/comment to it, too.

I would not have downvoted it if someone else had not upvoted it already.

I have upvoted the answer since.

somesoni2 · ‎12-19-2016

Try the updated answer. (fixed typos)

BlueSocket · ‎12-19-2016

Thanks for that! Yes, changing from using a done XML tag to a finalized XML tag, changing the $row.searchterm$ to $result.searchterm$ and removing the basesearch attribute fixed it!

Just one thing, you may want to remove the extraneous double-quote in the "search" XML tag, for other people's benefit!

somesoni2 · ‎12-19-2016

Thanks for pointing that out. fixed.

BlueSocket · ‎12-19-2016

Hmm. I tried this by executing it and when I checked the value of the $company_searchterm$, I see that it is NOT set to Company = "Microsoft", but instead, it is set to "$row.searchterm$", which does not search properly.

Is there a way of getting the "set token" tag to evaluate the value in the $row.searchterm$, rather than take it as a literal?

How do you set a token in a form that is dependent upon a value in the request and then use it as a part of the query in Splunk 6.3.2?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes