Splunk Search

How can I get the value of a token as a search eval for another token?

tamduong16
Contributor

I have the following xml:

alt text

I want to have Name=$unit$ for the line eval token. And will have other conditions to be Name=$campus$ , etc. But I can't seem to find an escape character for splunk to understand that I want to refer to a token instead of a String. I tried 'unit', $unit$, '$unit$'. But all of them don't work. Will I be able to do this with splunk today? If not, What could be a good work around? Thanks!

0 Karma
1 Solution

niketn
Legend

@tamduong16, you can try something like the following:

Option 1: With condition match and set token

        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>

Option 2: With eval to set token

<change>
    <eval token="result">case($value$!="*","Name=\"unit\"")</eval>
</change>

Following is a run anywhere dashboard snippet to test out the same.

  <row>
    <panel>
      <input type="dropdown" token="unit" searchWhenChanged="true">
        <label>Select a unit:</label>
        <choice value="*">All</choice>
        <choice value="UnitA">UnitA</choice>
        <choice value="UnitB">UnitB</choice>
        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>
      </input>      
      <html>
        <div>$unit$ - $result$</div>
      </html>
    </panel>
  </row>

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@tamduong16, you can try something like the following:

Option 1: With condition match and set token

        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>

Option 2: With eval to set token

<change>
    <eval token="result">case($value$!="*","Name=\"unit\"")</eval>
</change>

Following is a run anywhere dashboard snippet to test out the same.

  <row>
    <panel>
      <input type="dropdown" token="unit" searchWhenChanged="true">
        <label>Select a unit:</label>
        <choice value="*">All</choice>
        <choice value="UnitA">UnitA</choice>
        <choice value="UnitB">UnitB</choice>
        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>
      </input>      
      <html>
        <div>$unit$ - $result$</div>
      </html>
    </panel>
  </row>

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tamduong16
Contributor

Hi niketnilay, Thank you for answering my question. I tried the above but the result always comes out as the string unit. For some reason, Splunk keeps translating it to a string but not my token. Any ideas?

0 Karma

niketn
Legend

@tamduong16, based on your initial query in the question I thought you wanted to default the token $result$ to Name="unit" in case All or "*" is selected and if nothing else is selected it should be unset or null, which was not defined in your question.

Please give examples with data as to what you want the token $result$ to be set when All is selected or when any specific Unit value is selected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tamduong16
Contributor

So the $unit$ token could be anywhere from * to a string like "abc", "cdf123". I have 2 other token name $campus$ and $building$. I want $result$ to be "Name=$campus$$building$*" if $unit$ equal * , and $result$ to be "Name=$unit$" if $unit$ equal something else (for example, "Name=abcd345" when the value of $unit$ is "abcd345"). Thanks!

0 Karma

niketn
Legend

@tamduoung, try the following run anywhere dashboard. I have used init section to mock the campus and building tokens. You can plugin things as per your need.

<form>
  <label>Set token on condition match</label>
  <init>
    <set token="campus">MyCampus</set>
    <set token="building">BuildingA</set>
  </init>
  <fieldset submitButton="false">
  </fieldset>
  <row>
    <panel>
      <input type="dropdown" token="unit" searchWhenChanged="true">
        <label>Select a unit:</label>
        <choice value="*">All</choice>
        <choice value="UnitA">UnitA</choice>
        <choice value="UnitB">UnitB</choice>
        <change>
           <condition match="value!=&quot;*&quot;">
             <set token="result">Name=&quot;$value$&quot;</set>
           </condition>
           <condition>
             <set token="result">Name=&quot;$campus$$building$&quot;</set>
           </condition>
        </change>
      </input>      
      <html>
        <div>$unit$ - $result$</div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...