Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I perform a drilldown by checking multiple tokens in the same condition?

andrewtrobec
Motivator
‎08-06-2019 08:29 AM

Hello,

I have three tokens: token_1, token_2, and token_3. I'm trying to set the value of token_3 based on the values of token_1 and token_2, but I cannot for the life of me figure out the correct syntax in the drilldown tag. The conditions for setting token_3 are the following:

  1. token_1 must not be null
  2. token_2 must have value "OK"

The following XML does not create errors, but doesn't work either:

    <condition match="NOT isnull(token_1) &amp;&amp; token_2=&quot;OK&quot;">
        <set token="token_3">*</set>
    </condition>
</drilldown>

I've tried using $$ around the token names and replacing = with ==, but nothing works.

A push in the right direction would be greatly appreciated.

Thank you and best regards,

Andrew

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-06-2019 08:49 AM

Can you try ? 

<drilldown>
        <condition match="isnotnull($token_1$) AND $token_2$=&quot;OK&quot;">
          <set token="token_3">*</set>
      </condition>
  </drilldown>

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-06-2019 08:49 AM

Can you try ? 

<drilldown>
        <condition match="isnotnull($token_1$) AND $token_2$=&quot;OK&quot;">
          <set token="token_3">*</set>
      </condition>
  </drilldown>
Reply
Solved! Jump to solution

kd172906
Loves-to-Learn
‎03-18-2022 12:44 PM

How would you combine "match" and "label" into a single <condition>?  I've tried the following but keep getting syntax warnings in my Splunk dashboard editor:

<condition label="Test" , match="$myToken$ = 123">
<condition label="Test" and match="$myToken$ = 123">
<condition label="Test" &amp; match="$myToken$ = 123">

 

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎08-06-2019 11:11 PM

@mayurr98 This works! I tried your original piece of code that didn't work, then realized that you had updated your comment with working code! I was very close, just a question of the right combination. Good to know! Thanks, very much appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...