Solved: Substituting token names again

johnjester · ‎03-09-2018

Simple question I hope.

I have a dashboard that uses many tokens from input drop downs, which allow the user to cause all dashboard elements to only consider events that match all the drop downs. In my dashboard elements I end up having to put long conditions, such as (made up example):

where ("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and ....

In an effort to reduce how many times I need to copy/update this large list of conditions across all the dashboard elements, I was hoping I could define a token like this:

<init>
  <set token="cond">
    ("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and ....
  </set>
</init>

That appeared to work by just putting a "where $cond$" in each element instead of the long condition, but now my dashboard elements didn't react to changes in the drop downs. So I tried using $$ instead for the "cond" definition, but this causes all elements to return no results. I figure this is probably because the inner tokens are not being substituted for their proper values. Is there a way to cause this second level of substitution to happen? Or, is there another way I can accomplish the same goal of defining my large condition in a single place?

cmerriman · ‎03-09-2018

you can't use <set> when doing an eval like this. you'll need to do <eval>. you probably wouldn't want this under <init> because you don't initially know what all of those tokens are set as.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens#Define_token_filtering_and_formatting
perhaps something like this:

<fieldset>
a bunch of inputs
<change>
<eval token="cond">("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and .... </eval>
</change>

View solution in original post

cmerriman · ‎03-09-2018

you can't use <set> when doing an eval like this. you'll need to do <eval>. you probably wouldn't want this under <init> because you don't initially know what all of those tokens are set as.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/tokens#Define_token_filtering_and_formatting
perhaps something like this:

<fieldset>
a bunch of inputs
<change>
<eval token="cond">("$color$"="all" or "$color$"=color) and ("$type$"="all" or type="$type$") and ("$size$"="all" or size="$size$") and .... </eval>
</change>

johnjester · ‎03-09-2018

Also, I don't believe I want to use the eval node, because that results in the whole expression being evaluated to true or false. I want the full evaluation to wait until the search time on each dashboard element, so that each dashboard element can evaluate the condition for each of the events it is considering.

johnjester · ‎03-09-2018

I tried to add the change tag inside fieldset but got the warning

Node <change>  is not allowed here

Edit - I realized that I needed to put the change node in each input, and if I use set to change the token using single $, it all works.

Thanks for getting me on the right track!

Substituting token names again

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation