Solved: How to unset an input token when value isn't the d...

vshakur · ‎08-16-2017

I have the following xml code:

   <change>
        <condition value="default_value">
           <unset token="some_token"></unset>
        </condition>
   </change>

I would like to unset some_token only when value DOESN'T equal "default_value".
I tried: condition value!="default_value" but it doesn't work and I get an error.

Thank you,
Samuel

sbbadri · ‎08-16-2017

try this

Check below link,
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Viz/tokens

View solution in original post

sbbadri · ‎08-16-2017

try this

Check below link,
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Viz/tokens

vshakur · ‎08-16-2017

It seems to be the right direction.
I just don't understand what should be the fieldname.
Should it be $current_token$? or a field from the input's search query?

sbbadri · ‎08-16-2017

You need to use field from query. You haven't posted previous lines above change tag. So that i have mentioned as fieldname

vshakur · ‎08-16-2017

Great, thanks!

How to unset an input token when value isn't the default

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?