Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use nested conditions in xml dashboard

kikiBen12
Engager
‎05-18-2017 06:50 AM

Hi,

I have a dashboard with inputs and I use condition to set some tokens, in the change statement. I have a first condition that solve the case of the default value and I have a second condition related to an other token from another input.
Finally I have a last condition statement working as an else to set tokens in other case than the default value.

My problem is that in the second conditions I set some tokens that I set again in the last statement because they correspond to the other case than the first.
The optimal solution will be to nest the second condition into the last since it's just a specifical case of the last.

Is it possible to nest conditions because I don't find a way to do this

Tags (3)
0 Karma
Reply

puneethgowda
Communicator
‎05-18-2017 08:58 AM

base search | search tokan1="$A$" OR tokan2="$B$" OR tokan3="$C$"

0 Karma
Reply

kikiBen12
Engager
‎05-19-2017 02:01 AM

I don't understand how to do this and why it is solve my problem

0 Karma
Reply

cmerriman
Super Champion
‎05-18-2017 08:33 AM

can you provide some of your xml (stripped of any sensitive data) to make it easier to help?

0 Karma
Reply

kikiBen12
Engager
‎05-19-2017 01:50 AM

< input type="dropdown" token="srcIP" >
< label>IP source< /label>
< fieldForLabel>res< /fieldForLabel>
< fieldForValue>src_ip< /fieldForValue>
< search >
< query >
| eval res=src_ip . " (" . hostname_src . ")"
| table res, src_ip
< /query>
< earliest>0< /earliest>
< latest>< /latest>
< /search >
< choice value="none">Aucune< /choice>
< default>none< /default>
< change >
< condition label="Aucune">
< unset token="show_panel_1">< /unset>
< set token="title_label_src">< /set>
< set token="src_by_clause">< /set>
< set token="src_set">false< /set>
< set token="src_ip_search">< /set>
< /condition>
< condition match="'dest_set' == "true"">
< set token="src_by_clause">< /set>
< set token="dest_by_clause">< /set>
< set token="show_panel_1">true< /set>
< set token="title_label_src">depuis $label$< /set>
< set token="src_set">true< /set>
< set token="src_ip_search">src_ip=$value$< /set>
< / condition>
< condition>
< set token="show_panel_1">true< /set>
< set token="title_label_src">depuis $label$< /set>
< set token="src_by_clause">by dest< /set>
< set token="src_set">true< /set>
< set token="src_ip_search">src_ip=$value$< /set>
< / condition>
< /change>
< /input>
< input type="dropdown" token="destIP" >
< label>IP destination< /label>
< fieldForLabel>res< /fieldForLabel>
< fieldForValue>dest_ip< /fieldForValue>
< search>
< query>
| eval res=dest_ip . "(" . hostname_dest . ")"
| table res, dest_ip
< /query>
< earliest>0< /earliest>
< latest>< /latest>
< /search >
< choice value="none">Aucune< /choice>
< default>none< /default>
< change>
< condition label="Aucune">
< unset token="show_panel_2">< /unset>
< set token="title_label_dest">< /set>
< set token="dest_by_clause">< /set>
< set token="dest_set">false< /set>
< set token="dest_ip_search">< /set>
< /condition>
< condition match="'src_set' == "true"">
< set token="src_by_clause">< /set>
< set token="dest_by_clause">< /set>
< set token="show_panel_2">true< /set>
< set token="title_label_dest">vers $label$< /set>
< set token="dest_set">true< /set>
< set token="dest_ip_search">dest_ip=$value$< /set>
< /condition>
< condition>
< set token="show_panel_2">true< /set>
< set token="title_label_dest">vers $label$< /set>
< set token="dest_by_clause">by src< /set>
< set token="dest_set">true< /set>
< set token="dest_ip_search">dest_ip=$value$< /set>
< /condition>
< /change>
< /input>

The search using this token :
< query>
$src_ip_search$ $dest_ip_search$
| stats sparkline count $src_by_clause$ $dest_by_clause$
< /query>

This input is populated by a search that return the IP source available. The second input is the same except it is for IP destination.
The first condition handle the default case that is none. At first I just have the last condition that handle the other cases. But I need to add the second condition to set the clause by of a stats command in a search. I want that if the first input as another choice than default it set the a token to "by dest" (for the search), reciprocally "by src" for the second input and no by clause if the two inputs are different from default. So I add the second condition to reset the token as empty if the other input as a choice different from the default

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...