Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the condition match inside selection not working?

robertlynch2020
Motivator
‎03-02-2018 07:45 AM

Hi

Normally have code like this

<selection>

          <set token="time_selection.earliest">$start$</set>
          <set token="time_selection.latest">$end$</set>    


        </selection>

I now have to add a condition to the selection, however its not working inside selection.

        <selection>


          <condition match="$save_test_time_token.earliest$ == $save_test_time_token.earliest$">
                <set token="time_selection.earliest">$start$</set>
                <set token="time_selection.latest">$end$</set>  
            </condition>


        </selection>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 09:20 AM

@robertlynch2020, I dont understand the comparison of same token on both left and right side of the expression i.e. $save_test_time_token.earliest$ == $save_test_time_token.earliest$. However, you can set token conditionally using <eval> with case condition. With the following approach the token will be set only if the expression is true else it will not be set

Following is a sample code, please change the LHS and RHS of the condition under case statement as per your need.

    <selection>
      <eval token="time_selection.earliest">case("$save_test_time_token_earliest$"!="$save_test_time_token_latest$",$start$)</eval>
      <eval token="time_selection.latest">case("$save_test_time_token_earliest$"!="$save_test_time_token_latest$",$end$)</eval>
    </selection>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 09:20 AM

@robertlynch2020, I dont understand the comparison of same token on both left and right side of the expression i.e. $save_test_time_token.earliest$ == $save_test_time_token.earliest$. However, you can set token conditionally using <eval> with case condition. With the following approach the token will be set only if the expression is true else it will not be set

Following is a sample code, please change the LHS and RHS of the condition under case statement as per your need.

    <selection>
      <eval token="time_selection.earliest">case("$save_test_time_token_earliest$"!="$save_test_time_token_latest$",$start$)</eval>
      <eval token="time_selection.latest">case("$save_test_time_token_earliest$"!="$save_test_time_token_latest$",$end$)</eval>
    </selection>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎03-04-2018 09:20 AM

Thanks so much for looking at this for me.
In fact i think we are close to an answer here. Yes i did have a typo in my initial question sorry about that.

So this is what i am trying to do. I have a query that takes time from $time_token.earliest$. This is also a timeline chart, this also sets time for a different time token that drives multiple other pannels

However i have noticed when $time_token.earliest$=time_selection.earliest. It will still re-set the same value and this will re-drive all my other panels. This is bad for performance etc..

Original Query
      <query></query>
              <earliest>$time_token.earliest$</earliest>
              <latest>$time_token.latest$</latest>
            </search>
            <selection>
              <unset token="execute_tps_save_test"></unset>
              <set token="time_selection.earliest">$start$</set>
              <set token="time_selection.latest">$end$</set>    
              </selection>

Updated, however not 100% working. I think the issues, is it gets unset if not true and this is NULL to my other pannels.

  <query></query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <selection>
          <unset token="execute_tps_save_test"></unset>
          <!--set token="time_selection.earliest">$start$</set>
          <set token="time_selection.latest">$end$</set-->  


           <eval token="time_selection.earliest">case("$time_selection.earliest$"!="$time_token.earliest$",$start$)</eval>
       <eval token="time_selection.latest">case("$time_selection.latest$"!="$time_token.latest$",$end$)</eval>
          </selection>

So is there a way to check to see if you are the same as original and do nothing else update.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-04-2018 07:03 PM

@robertlynch2020, just try == instead of != inside case condition block and the behavior should reverse.

<eval token="time_selection.earliest">case("$time_selection.earliest$"=="$time_token.earliest$",$start$)</eval>
        <eval token="time_selection.latest">case("$time_selection.latest$"=="$time_token.latest$",$end$)</eval>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎03-06-2018 03:40 AM

Thanks again

In fact $time_selection.earliest$ jumps starts at 1518502650, the undefined then back to 1518502650 => search reruns. Even if the two values are the same!

Is there anyway to say don't change the token to undefined. In fact dont do anything stay 100% the same

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-06-2018 06:05 AM

So that means you need else condition and you need to retain the token value same as what it is. Can you try the following where true() condition has been added to handle the else condition and retain the original value of the token?

 <eval token="time_selection.earliest">case("$time_selection.earliest$"=="$time_token.earliest$",$start$,true(),$time_selection.earliest$)</eval>
         <eval token="time_selection.latest">case("$time_selection.latest$"=="$time_token.latest$",$end$,true(),$time_selection.latest$)</eval>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎03-07-2018 05:20 AM

Hi

Thanks for this, in the end i had to remove the quote to get it to work.
Cheers for your help 🙂

case($time_selection.earliest$ = $time_token.earliest$,$start$,true(),$time_selection.earliest$)

case($time_selection.latest$ = $time_token.latest$,$end$,true(),$time_selection.latest$)

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-07-2018 08:20 AM

@robertlynch2020, glad you figured it out. I had missed that epoch time will be numeric. However, I would have expected string comparison to work as well 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-02-2018 08:54 AM

The <condition> is not a valid child element for <selection> tag.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...