Splunk Search

Combine field and match conditions

vigneshtv
Explorer
I am trying to set 2 tokens based on field and match but I think if 1st condition is matched, 2nd is not evaluated so please suggest the correct method of doing this. The following is what I tried

<condition field=field1>

<set token="clicked_field">field1</set>

</condition>


<condition match="$row.field1$==value1">

<set token="temp" >"v1 v2"</set>

</condition>
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>

View solution in original post

manjunathmeti
SplunkTrust
SplunkTrust

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>

vigneshtv
Explorer

Thanks for your answer. I want to add some more details to my question. I have a lengthy list of possible values for $row.field1$ for which the corresponding values of temp are different. For each possible value in $row.field1$ , I want to set a corresponding value in temp. Say, if $row.field1$ is vehicle, I want my temp to be "Cycle Car" or if $row.field1$ is fruit, I want my temp to be "Apple Orange" and so on.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You can use case statement:

<eval token="temp">case(match("vehicle", $row.field1$), "Cycle Car", match("fruit", $row.field1$), "Apple Orange")</eval>

manjunathmeti
SplunkTrust
SplunkTrust

Also if you have too many values in field1 then it's better you create a csv lookup with field1 and temp values and use it in your search directly. Only thing is temp values are displayed in the results. Then set token based on row is clicked.

 <drilldown>
     <set token="temp">$row.temp$</eval>
 </drilldown>
0 Karma

jpolvino
Builder

Can you please post more of your XML? Are you trying to set some tokens based upon the result of a search, or when an input changes?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...