Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Drilldown Conditional match with like function using a Token?

Manny
Observer
‎03-30-2022 10:34 AM

Hi,

I have tried many different ways to get a match with a like using a token to a string to set and unset a different set of tokens but I just cant seem to be able to meet the condition eventough I know I am selecting a click.value (which gets saved into a token) and that token value contains the string that I am using in the like command.

What am I doing wrong? please help.

<chart>
<search>
<query>index=car | dedup run_id | top limit=100 sourcetype | search sourcetype=$form.car_type$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<drilldown>
<condition>
<set token="show_panel">true</set>
<set token="form.car_type">$click.value$</set>
<set token="clickedfixture">$click.value$</set>
</condition>
<condition match="like($form.car_type$,&quot;%ford%&quot;)">
<set token="carford">true</set>
<unset token="data_entry"></unset>
<unset token="attachment"></unset>
</condition>
</drilldown>
</chart>

Labels (2)
Labels
Tags (1)
0 Karma
Reply

Manny
Observer
‎03-30-2022 10:32 PM

Hi @kamlesh_vaghela it did not work. I still dont get the $carford$ set.

thx

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-30-2022 10:16 PM

@Manny 

Generally we kept default condition at last. Can you please try this?

<condition match="like($form.car_type$,&quot;%ford%&quot;)">
<set token="carford">true</set>
<unset token="data_entry"></unset>
<unset token="attachment"></unset>
</condition>
<condition>
<set token="show_panel">true</set>
<set token="form.car_type">$click.value$</set>
<set token="clickedfixture">$click.value$</set>
</condition>

 

KV

0 Karma
Reply

Manny
Observer
‎03-30-2022 10:39 PM

@kamlesh_vaghela  note that $form.car_type$ has a value that changes depending on what the user clicks (a drilldown) but one of the columns that can be clicked is "car_type_ford" when that gets selected I would expect that the match with the like would be satified and therefore the $carford$ would be set.

I can see that $form.car_type$ does change to "car_type_ford" but the still the token $carford$ does not get set.

thx

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-30-2022 11:01 PM

@Manny 

Is it possible to share XML with sample data (NO original values) here ?

KV

 

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...