Dashboards & Visualizations

Conditional set token in form input

thilleso
Path Finder

Hi,

In a dashboard I'm doing an initial token-setting search, using a lookup and a previously chosen token $token_process$.

In the lookup table columns may have a string value or be empty, and I want to save the non-empty values, but I can't seem to get it to work. Can someone help with the condition syntax?

It's possible the tokens step1...step4 each must have a condition and be set individually.

<search id="tokensearch">
  <query>| inputlookup lookup_e2e where (Key=$token_process$) | fields ProcessId, EndToEnd, Trigger, Step1, Step2, Step3, Step4</query>
  <earliest>-60m@m</earliest>
  <latest>now</latest>
  <finalized>
    <condition !-- Set these tokens always>
      <set token="token_processid">$result.ProcessId$</set>
      <set token="token_e2e">$result.EndToEnd$</set>
      <set token="token_trigger">$result.Trigger$</set>
    </condition>
    <condition !--Set tokens if their values are not NULL>
      <set token="token_step1">$result.Step1$</set>
      <set token="token_step2">$result.Step2$</set>
      <set token="token_step3">$result.Step3$</set>
      <set token="token_step4">$result.Step4$</set>
    </condition-->
  </finalized>
</search>

Regards,
Thomas

0 Karma

sundareshr
Legend

Try this

| inputlookup lookup_e2e  | search Key=$token_processed* | fields ProcessId, EndToEnd, Trigger, Step1, Step2, Step3, Step4
0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...