topic Substituting token names again in Security

Substituting token names again

johnjester — Fri, 09 Mar 2018 21:23:09 GMT

Simple question I hope.

I have a dashboard that uses many tokens from input drop downs, which allow the user to cause all dashboard elements to only consider events that match all the drop downs. In my dashboard elements I end up having to put long conditions, such as (made up example):

where ("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and ....

In an effort to reduce how many times I need to copy/update this large list of conditions across all the dashboard elements, I was hoping I could define a token like this:

<init>
  <set token="cond">
    ("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and ....
  </set>
</init>

That appeared to work by just putting a "where $cond$" in each element instead of the long condition, but now my dashboard elements didn't react to changes in the drop downs. So I tried using $$ instead for the "cond" definition, but this causes all elements to return no results. I figure this is probably because the inner tokens are not being substituted for their proper values. Is there a way to cause this second level of substitution to happen? Or, is there another way I can accomplish the same goal of defining my large condition in a single place?

Re: Substituting token names again

cmerriman — Fri, 09 Mar 2018 21:42:36 GMT

you can't use <set> when doing an eval like this. you'll need to do <eval>. you probably wouldn't want this under <init> because you don't initially know what all of those tokens are set as.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens#Define_token_filtering_and_formatting
perhaps something like this:

<fieldset>
a bunch of inputs
<change>
<eval token="cond">("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and .... </eval>
</change>

Re: Substituting token names again

johnjester — Fri, 09 Mar 2018 21:59:07 GMT

I tried to add the change tag inside fieldset but got the warning

Node <change>  is not allowed here

Edit - I realized that I needed to put the change node in each input, and if I use set to change the token using single $, it all works.

Thanks for getting me on the right track!

Re: Substituting token names again

johnjester — Fri, 09 Mar 2018 22:15:42 GMT

Also, I don't believe I want to use the eval node, because that results in the whole expression being evaluated to true or false. I want the full evaluation to wait until the search time on each dashboard element, so that each dashboard element can evaluate the condition for each of the events it is considering.