Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine field and match conditions

vigneshtv
Explorer
‎02-17-2020 01:37 AM 
I am trying to set 2 tokens based on field and match but I think if 1st condition is matched, 2nd is not evaluated so please suggest the correct method of doing this. The following is what I tried

<condition field=field1>

<set token="clicked_field">field1</set>

</condition>


<condition match="$row.field1$==value1">

<set token="temp" >"v1 v2"</set>

</condition>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-17-2020 09:04 PM

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-17-2020 09:04 PM

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>
Reply
Solved! Jump to solution

vigneshtv
Explorer
‎02-17-2020 10:32 PM

Thanks for your answer. I want to add some more details to my question. I have a lengthy list of possible values for $row.field1$ for which the corresponding values of temp are different. For each possible value in $row.field1$ , I want to set a corresponding value in temp. Say, if $row.field1$ is vehicle, I want my temp to be "Cycle Car" or if $row.field1$ is fruit, I want my temp to be "Apple Orange" and so on.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-18-2020 07:28 AM

You can use case statement:

<eval token="temp">case(match("vehicle", $row.field1$), "Cycle Car", match("fruit", $row.field1$), "Apple Orange")</eval>
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-18-2020 11:34 PM

Also if you have too many values in field1 then it's better you create a csv lookup with field1 and temp values and use it in your search directly. Only thing is temp values are displayed in the results. Then set token based on row is clicked.

 <drilldown>
     <set token="temp">$row.temp$</eval>
 </drilldown>
0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎02-17-2020 01:44 PM

Can you please post more of your XML? Are you trying to set some tokens based upon the result of a search, or when an input changes?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...