Conditional set token in form input

thilleso · ‎07-15-2016

Hi,

In a dashboard I'm doing an initial token-setting search, using a lookup and a previously chosen token $token_process$.

In the lookup table columns may have a string value or be empty, and I want to save the non-empty values, but I can't seem to get it to work. Can someone help with the condition syntax?

It's possible the tokens step1...step4 each must have a condition and be set individually.

<search id="tokensearch">
  <query>| inputlookup lookup_e2e where (Key=$token_process$) | fields ProcessId, EndToEnd, Trigger, Step1, Step2, Step3, Step4</query>
  <earliest>-60m@m</earliest>
  <latest>now</latest>
  <finalized>
    <condition !-- Set these tokens always>
      <set token="token_processid">$result.ProcessId$</set>
      <set token="token_e2e">$result.EndToEnd$</set>
      <set token="token_trigger">$result.Trigger$</set>
    </condition>
    <condition !--Set tokens if their values are not NULL>
      <set token="token_step1">$result.Step1$</set>
      <set token="token_step2">$result.Step2$</set>
      <set token="token_step3">$result.Step3$</set>
      <set token="token_step4">$result.Step4$</set>
    </condition-->
  </finalized>
</search>

Regards,
Thomas

sundareshr · ‎07-15-2016

Try this

| inputlookup lookup_e2e  | search Key=$token_processed* | fields ProcessId, EndToEnd, Trigger, Step1, Step2, Step3, Step4

Conditional set token in form input

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

Conditional set token in form input

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?