Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set multiple tokens using "condition match"?

javierjmg
Engager
‎09-15-2017 09:55 AM

To set tokens, I have several "condition match" in a search but, if more than one condition is matched, only the first one seems to work.
To simplify my use case:

        <search>
          <query>index=_internal | stats count by host | table host, count</query>
          <earliest>@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="len($result.host$)!=0">
              <set token="showtab1">t1</set>
            </condition>
            <condition match="len($result.count$)!=0">
              <set token="showtab2">t2</set>
            </condition>
          </done>
        </search>

What I expect is that both tokens will be set (both result.host and result.count exist and have a value).
However, only "showtab1" is set.

To my surprise, if I swap the conditions order:

        [...]
          <done>
            <condition match="len($result.count$)!=0">
              <set token="showtab2">t2</set>
            </condition>
            <condition match="len($result.host$)!=0">
              <set token="showtab1">t1</set>
            </condition>
          </done>
        [...]

Now, "showtab2" is set (and "showtab1" is unset...)

What I'm missing here?

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎09-15-2017 10:15 AM

The issue is only one condition is ever executed. They are like if, else-if, else structures.

So you need to combine the two outcomes in one condition and then separate them out.

    <condition match="len($result.host$)!=0 AND len($result.count$)!=0">
        <set token="showtab1">t1</set>
        <set token="showtab2">t2</set>
    <condition match="len($result.host$)!=0">
        <set token="showtab1">t1</set>
    </condition>
    <condition match="len($result.count$)!=0">
        <set token="showtab2">t2</set>
    </condition>

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-14-2020 08:53 AM

I have a better answer than multiplexing logic: multiple <change> sections, like this:

<change>
   <condition match="len($result.host$)!=0">
      <set token="showtab1">t1</set>
   </condition>
   <condition>
      <unset token="showtab1"></unset>
   </condition>
</change>
<change>
   <condition match="len($result.count$)!=0">
      <set token="showtab2">t2</set>
   </condition>
   <condition>
      <unset token="showtab2"></unset>
   </condition>
</change>

In the case of 2x2 like this either solution is about the same. However when you scale to a much larger matrix of fields and values, this solution is waaaaaaaaaaaaaaaaay better.

Reply
Solved! Jump to solution

stratenh
Loves-to-Learn
‎04-11-2023 06:04 AM

If this would (still) be the case, then this dashboard should be able to set one of the 2 tokens based upon the clicked checkbox:

<form theme="dark" script="simple_xml_examples:showtokens.js">
  <fieldset submitButton="false">
    <input type="checkbox" token="field1">
      <label>field1</label>
      <choice value="option1">option1</choice>
      <choice value="option2">option2</choice>
      <change>
        <condition match="isnotnull(mvfind($form.field1$,&quot;option1&quot;))">
          <set token="option1.txt">option1</set>
        </condition>
        <condition>
          <unset token="option1.txt"></unset>
        </condition>
      </change>
      <change>
        <condition match="isnotnull(mvfind($form.field1$,&quot;option2&quot;))">
          <set token="option2.txt">option2</set>
        </condition>
        <condition>
          <unset token="option2.txt"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <p>$option1.txt$</p>
        <p>$option2.txt$</p>
      </html>
    </panel>
  </row>
</form>

But, only the second change block gets hit. Or am I doing something wrong here?

0 Karma
Reply
Solved! Jump to solution

stratenh
Loves-to-Learn
‎04-11-2023 08:01 AM

This seems to work (but still feels like a work around):

<form theme="dark" script="simple_xml_examples:showtokens.js">
  <init>
    <set token="field1">off</set>
  </init>
  <fieldset submitButton="false">
    <input type="checkbox" token="field">
      <label>field</label>
      <choice value="option1">option1</choice>
      <choice value="option2">option2</choice>
      <change>
        <eval token="field1">case(isnotnull(mvfind($form.field$,&quot;option1&quot;)),"option1")</eval>
        <eval token="field2">case(isnotnull(mvfind($form.field$,&quot;option2&quot;)),"option2")</eval>
      </change>
    </input>
  </fieldset>
  <search>
    <query>
      | makeresults
      | eval option1=$field1$
    </query>
    <done>
      <condition match="isnull($field1$)">
        <unset token="option1.txt"></unset>
      </condition>
      <condition>
        <set token="option1.txt">$field1$</set>
      </condition>
    </done>
  </search>
  <search>
    <query>
      | makeresults
      | eval option2=$field2$
    </query>
    <done>
      <condition match="isnull($field2$)">
        <unset token="option2.txt"></unset>
      </condition>
      <condition>
        <set token="option2.txt">$field2$</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <html>
        <p>$option1.txt$</p>
        <p>$option2.txt$</p>
      </html>
    </panel>
  </row>
</form>

Does someone have a better solution?

0 Karma
Reply
Solved! Jump to solution

jagadeeshm
Contributor
‎09-14-2022 07:42 PM

How do you set multiple tokens using multiple conditions when the search results are done?

0 Karma
Reply
Solved! Jump to solution

akew
Explorer
‎02-16-2022 01:31 PM

This answer solves an issue I am having.  I like the way this is structured. 

@woodcock, if I'm reading this correctly (and a test verifies this), as soon as a condition fires, all other conditions are ignored.  There is no nesting her, but an elegant trigger condition, or an "else" condition that fires to do other business logic (show/hide here).

Very nice.

0 Karma
Reply
Solved! Jump to solution

waleeper
Explorer
‎01-30-2020 09:50 AM

According to the form documentation you can only have one change block. https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/PanelreferenceforSimplifiedXML#change_.28form...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-30-2020 09:56 AM

Please post the text, too. I read the link and other than the use of the definite article "the", which only implies a constraint, I do not see a limitation listed. In any case, it does work and I often use it.

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎09-15-2017 10:15 AM

The issue is only one condition is ever executed. They are like if, else-if, else structures.

So you need to combine the two outcomes in one condition and then separate them out.

    <condition match="len($result.host$)!=0 AND len($result.count$)!=0">
        <set token="showtab1">t1</set>
        <set token="showtab2">t2</set>
    <condition match="len($result.host$)!=0">
        <set token="showtab1">t1</set>
    </condition>
    <condition match="len($result.count$)!=0">
        <set token="showtab2">t2</set>
    </condition>
Reply
Solved! Jump to solution

DavidCH12345
Engager
‎11-20-2018 04:12 AM

It doesn't allow me to open two conditions and only close one. (on line 6.)
How did you get it to run when the open/close tags are not complete?

0 Karma
Reply
Solved! Jump to solution

javierjmg
Engager
‎09-15-2017 10:28 AM

It works. Many thanks.

0 Karma
Reply
Solved! Jump to solution

sayanidasgupta
Explorer
‎06-12-2018 04:17 AM

I am facing same kind of problem, please correct my code where I am doing wrong -

  <label>Select Category</label>
  <choice value="capability">CAPABILITY</choice>
  <choice value="lob">LOB</choice>
  <choice value="service">SERVICE</choice>
  <choice value="client">CLIENT</choice>
  <change>


  <set token="show_capability">true</set>
  </condition>
  <condition>
  <unset token="show_capability"></unset>
  </condition>

  <condition value="lob">
  <set token="show_lobName">true</set>
  </condition>
  <condition>
  <unset token="show_lobName"></unset>
  </condition>
  </change>





  <label>Select capability name:</label>
  <search>
    <query>|inputlookup lookup_STAACapability.csv | dedup Capability | eval Capability1=upper(Capability)| sort Capability1  |  table Capability</query>
  </search>
  <fieldForLabel>Capability</fieldForLabel>
  <fieldForValue>Capability</fieldForValue>
</input>


  <label>Select LOB Name:</label>
  <search>
    <query>|inputlookup lookup_STAALob.csv| dedup LOBName| eval LOBName1=upper(ClientName)|sort LOBName1 | table LOBName</query>
  </search>
  <fieldForLabel>LOBName</fieldForLabel>
  <fieldForValue>LOBName</fieldForValue>
</input>
 </fieldset>
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...