Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine field and match conditions

vigneshtv
Explorer
‎02-17-2020 01:37 AM 
I am trying to set 2 tokens based on field and match but I think if 1st condition is matched, 2nd is not evaluated so please suggest the correct method of doing this. The following is what I tried

<condition field=field1>

<set token="clicked_field">field1</set>

</condition>


<condition match="$row.field1$==value1">

<set token="temp" >"v1 v2"</set>

</condition>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
SplunkTrust
SplunkTrust
‎02-17-2020 09:04 PM

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
SplunkTrust
SplunkTrust
‎02-17-2020 09:04 PM

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>
Reply
Solved! Jump to solution

vigneshtv
Explorer
‎02-17-2020 10:32 PM

Thanks for your answer. I want to add some more details to my question. I have a lengthy list of possible values for $row.field1$ for which the corresponding values of temp are different. For each possible value in $row.field1$ , I want to set a corresponding value in temp. Say, if $row.field1$ is vehicle, I want my temp to be "Cycle Car" or if $row.field1$ is fruit, I want my temp to be "Apple Orange" and so on.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
SplunkTrust
SplunkTrust
‎02-18-2020 07:28 AM

You can use case statement:

<eval token="temp">case(match("vehicle", $row.field1$), "Cycle Car", match("fruit", $row.field1$), "Apple Orange")</eval>
Reply
Solved! Jump to solution

manjunathmeti
SplunkTrust
SplunkTrust
‎02-18-2020 11:34 PM

Also if you have too many values in field1 then it's better you create a csv lookup with field1 and temp values and use it in your search directly. Only thing is temp values are displayed in the results. Then set token based on row is clicked.

 <drilldown>
     <set token="temp">$row.temp$</eval>
 </drilldown>
0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎02-17-2020 01:44 PM

Can you please post more of your XML? Are you trying to set some tokens based upon the result of a search, or when an input changes?

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...