- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Substituting token names again
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simple question I hope.
I have a dashboard that uses many tokens from input drop downs, which allow the user to cause all dashboard elements to only consider events that match all the drop downs. In my dashboard elements I end up having to put long conditions, such as (made up example):
where ("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and ....
In an effort to reduce how many times I need to copy/update this large list of conditions across all the dashboard elements, I was hoping I could define a token like this:
<init>
<set token="cond">
("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and ....
</set>
</init>
That appeared to work by just putting a "where $cond$" in each element instead of the long condition, but now my dashboard elements didn't react to changes in the drop downs. So I tried using $$ instead for the "cond" definition, but this causes all elements to return no results. I figure this is probably because the inner tokens are not being substituted for their proper values. Is there a way to cause this second level of substitution to happen? Or, is there another way I can accomplish the same goal of defining my large condition in a single place?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can't use <set> when doing an eval like this. you'll need to do <eval>. you probably wouldn't want this under <init> because you don't initially know what all of those tokens are set as.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens#Define_token_filtering_and_formatting
perhaps something like this:
<fieldset>
a bunch of inputs
<change>
<eval token="cond">("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and .... </eval>
</change>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can't use <set> when doing an eval like this. you'll need to do <eval>. you probably wouldn't want this under <init> because you don't initially know what all of those tokens are set as.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens#Define_token_filtering_and_formatting
perhaps something like this:
<fieldset>
a bunch of inputs
<change>
<eval token="cond">("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and .... </eval>
</change>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, I don't believe I want to use the eval node, because that results in the whole expression being evaluated to true or false. I want the full evaluation to wait until the search time on each dashboard element, so that each dashboard element can evaluate the condition for each of the events it is considering.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to add the change tag inside fieldset but got the warning
Node <change> is not allowed here
Edit - I realized that I needed to put the change node in each input, and if I use set to change the token using single $, it all works.
Thanks for getting me on the right track!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
