Dashboards & Visualizations

Tokens set by "Condition match" are not working in my dashboard

erwan_raulet
Explorer

I try to use condition match=" " to check the value of the "range" field in my search and display a table according to icon status.

<panel>
      <html>
        <h2>Title</h2>
      </html>
      <search>
        <query>myquery | rangemap field=Status low=0-1 high2=2-3 severe=4-5 default=low</query>
        <earliest>-24h</earliest>
        <latest>now</latest>        
        <preview>
          <set token="range2">$result.range$</set>        
       </preview>
          <condition match="'result.range' == high2">
            <set token="show_tab1">true</set>
            <unset token="show_tab1"></unset>
          </condition>
          <condition match="'result.range' == severe">
            <set token="show_tab2">true</set>
            <unset token="show_tab2"></unset>
          </condition>
      </search>
            <html>
                <div class="custom-result-value icon-only $range2$"></div>
            </html>
       <table depends="$show_tab1$">
         <search>
           <query>mytable1query</query>
            <earliest>-24h</earliest>
            <latest>now</latest>
         </search>
       </table>
       <table depends="$show_tab2$">
         <search>
           <query>mytable2query</query>
            <earliest>-24h</earliest>
            <latest>now</latest>
         </search>
       </table>
</panel>

Can someone help me to understand why I can not get the value of the two tokens created by condition match=" "?

0 Karma
1 Solution

rjthibod
Champion

try using this block where you have preview

         <done>
           <condition match="'result.range' == high2">
             <set token="range2">$result.range$</set>        
             <set token="show_tab1">true</set>
             <unset token="show_tab1"></unset>
           </condition>
           <condition match="'result.range' == severe">
             <set token="range2">$result.range$</set>        
             <set token="show_tab2">true</set>
             <unset token="show_tab2"></unset>
           </condition>
        </done>

View solution in original post

rjthibod
Champion

try using this block where you have preview

         <done>
           <condition match="'result.range' == high2">
             <set token="range2">$result.range$</set>        
             <set token="show_tab1">true</set>
             <unset token="show_tab1"></unset>
           </condition>
           <condition match="'result.range' == severe">
             <set token="range2">$result.range$</set>        
             <set token="show_tab2">true</set>
             <unset token="show_tab2"></unset>
           </condition>
        </done>

erwan_raulet
Explorer

Thank you very much. It works correctly.
I do not know the <done>. What is its function and where can I find documentation?

0 Karma

erwan_raulet
Explorer

Sorry rjthibod, finally it was not good. I forgot to change the name of the token in my table. The two tokens are not evaluated with condition match = "". I do not understand why.

0 Karma

rjthibod
Champion

I am afraid I don't know what you mean. Can you restate the issue?

0 Karma

erwan_raulet
Explorer

To see if the tokens "showtab1" and showtab2 "are calculated with condition match = "", I check the display of the value of the tokens" range2 "and" showtab1 "just after the display of the icon state. it appears that the token "showtab" does not display "true" and the table requested when $range2$ = high2.
Here is my code:

<done>
          <condition match="'range2' == high2">
            <set token="showtab1">true</set>
            <unset token="show_tab1"></unset>
          </condition>
          <condition match="'range2' == severe">
            <set token="showtab2">true</set>
            <unset token="show_tab2"></unset>
          </condition>
        </done>
      </search>
            <html>
                <div class="custom-result-value icon-only $range2$"></div>
                <li>$showtab1$</li>
                <li>$range2$</li>
            </html>
       <table depends="$showtab1$">
         <search>
           <query>my tab query</query>
            <earliest>-24h</earliest>
            <latest>now</latest>
         </search>
       </table>

I'm more clear in my explanation?

0 Karma

rjthibod
Champion

which version of splunk are you using? if 6.3 or 6.4, try using finalized instead of done. If 6.5, then you should be using done and the issue is something else.

0 Karma

erwan_raulet
Explorer

My Splunk version is 6.3.1 and I replaced done with finalized but the result does not change. I have no more idea.

0 Karma

rjthibod
Champion

Are you sure the search is even running? Looking at your XML you have the search element directly as a child to a panel element. You should be putting the search under a view object like table.

Try wrapping your search inside of a table element, and put depends on the table to hide it. Something like this.

  <panel>
       <html>
         <h2>Title</h2>
       </html>
       <table depends="$hidden$">
         <search>
           <query>myquery | rangemap field=Status low=0-1 high2=2-3 severe=4-5 default=low</query>
           <earliest>-24h</earliest>
           <latest>now</latest>        
         <finalize>
           <condition match="'result.range' == high2">
             <set token="range2">$result.range$</set>        
             <set token="show_tab1">true</set>
             <unset token="show_tab1"></unset>
           </condition>
           <condition match="'result.range' == severe">
             <set token="range2">$result.range$</set>        
             <set token="show_tab2">true</set>
             <unset token="show_tab2"></unset>
           </condition>
         </finalized
       </search>
     </table>
     <html>
       <div class="custom-result-value icon-only $range2$"></div>
     </html>
     <table depends="$show_tab1$">
       <search>
         <query>mytable1query</query>
           <earliest>-24h</earliest>
           <latest>now</latest>
        </search>
      </table>
      <table depends="$show_tab2$">
        <search>
          <query>mytable2query</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
      </table>
  </panel>

erwan_raulet
Explorer

I tried your proposal by inserting the search in a table but the result is still not conclusive.

0 Karma

rjthibod
Champion

What about wrapping the condition terms in html quotes like this

            <condition match="'result.range' == &quot;high2&quot;">
              ...
            <condition match="'result.range' == &quot;severe&quot;">
              ...

erwan_raulet
Explorer

Yes, that is right and without inserting into table. I had already tried this but I think I had to make a syntax error. Thank you for your help and I accept your answer.

0 Karma

lakshmisri
New Member

I have a similar issue. from the url parameter i have an element that is set.
form.Response_Resolution= Response Met %
I want to apply a condition and set additional tokens that can be used in search. I have use the below code snippet and it is not working fine. Any pointers might help

<condition match="'form.Response_Resolution' == Response Met %">
  <set token="Response_Met">Y</set>
  <set token="Resolution_Met">*</set>
</condition>
<condition match="'form.Response_Resolution' == Resolution Met %">
  <set token="Resolution_Met">Y</set>
  <set token="Response_Met">*</set>
</condition>
0 Karma

rjthibod
Champion

You are missing quotes around the strings and you have to use the html entity for the % character.

 <condition match="'form.Response_Resolution' == &quot;Response Met &#25;&quot;">
   <set token="Response_Met">Y</set>
   <set token="Resolution_Met">*</set>
 </condition>
 <condition match="'form.Response_Resolution' == &quot;Resolution Met &#25;&quot;">
   <set token="Resolution_Met">Y</set>
   <set token="Response_Met">*</set>
 </condition>
0 Karma

lakshmisri
New Member

For % it does not take , I used % and it worked. Thanks

0 Karma

lakshmisri
New Member

These conditions are set in the init tag of the dashboard / form and I am trying to use these tokens in search.

But the search is always waiting for an input. Is there anything else I need to take care of so that it is used in the search

0 Karma

rjthibod
Champion

is "form.Response_Resolution" the name of the token to which this condition block belongs?

It would help if you shared all of the XML for the input and/or your search.

0 Karma

lakshmisri
New Member
<condition match="'form.Response_Resolution'   == &quot;Response Met %&quot;">
  <set token="Response_Met" prefix="&quot;" suffix="&quot;">Y</set>
  <set token="Resolution_Met" prefix="&quot;" suffix="&quot;">*</set>
</condition>
<condition match="'form.Response_Resolution' == &quot;Resolution Met %&quot;">
  <set token="Resolution_Met" prefix="&quot;" suffix="&quot;">Y</set>
  <set token="Response_Met" prefix="&quot;" suffix="&quot;">*</set>
</condition>

Ticket Details

<panel>
  <html>
  <div class="tab_logo">
    <div class="aiam-links">
        <a href="./help" class="help"> </a>
      </div>
    <div class="accenture_logo">
      TICKET DETAILS
    </div>
  </div> 
</html>
</panel>


<panel>
  <table>
    <title>Ticket Details</title>
    <search>
      <query>| pivot app_model app_model_search count(ifact_model_search) AS "count(ifact_model_search)" SPLITROW Ticket_ID  FILTER Computed_Severity is "*" FILTER Resp_SLA_Met is $Response_Met$ FILTER Resolution_SLA_Met is $Resolution_Met$ FILTER Created_Month is "*"</query>
      <earliest>0</earliest>
      <sampleRatio>1</sampleRatio>
    </search>
  </table>
</panel>
0 Karma

rjthibod
Champion

Replace 'form.Response_Resolution' with 'value'

Also, please include the full XML definition for the input.

0 Karma

lakshmisri
New Member

There is no input field. All I have in the dashboard is a panel with the search and the filter criteria that needs to have these token values. One thing that I noticed is, if i edit the same page after it is loaded, the search results are getting loaded. I believe the search is triggered before the token is set.

0 Karma

rjthibod
Champion

Then where is the condition block you posted supposedly going? where is "form.Response_Resolution" defined?

What version of Splunk are you using?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...