Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine field and match conditions

vigneshtv
Explorer
‎02-17-2020 01:37 AM 
I am trying to set 2 tokens based on field and match but I think if 1st condition is matched, 2nd is not evaluated so please suggest the correct method of doing this. The following is what I tried

<condition field=field1>

<set token="clicked_field">field1</set>

</condition>


<condition match="$row.field1$==value1">

<set token="temp" >"v1 v2"</set>

</condition>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-17-2020 09:04 PM

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-17-2020 09:04 PM

You can use one condition element for both the conditions. For second condition use eval element like this.

<drilldown>
    <condition field="field1">
        <set token="clicked_field">field1</set>
        <eval token="temp">if(match("value1", $row.field1$), "v1 v2", "")</eval>
    </condition>
</drilldown>
Reply
Solved! Jump to solution

vigneshtv
Explorer
‎02-17-2020 10:32 PM

Thanks for your answer. I want to add some more details to my question. I have a lengthy list of possible values for $row.field1$ for which the corresponding values of temp are different. For each possible value in $row.field1$ , I want to set a corresponding value in temp. Say, if $row.field1$ is vehicle, I want my temp to be "Cycle Car" or if $row.field1$ is fruit, I want my temp to be "Apple Orange" and so on.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-18-2020 07:28 AM

You can use case statement:

<eval token="temp">case(match("vehicle", $row.field1$), "Cycle Car", match("fruit", $row.field1$), "Apple Orange")</eval>
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-18-2020 11:34 PM

Also if you have too many values in field1 then it's better you create a csv lookup with field1 and temp values and use it in your search directly. Only thing is temp values are displayed in the results. Then set token based on row is clicked.

 <drilldown>
     <set token="temp">$row.temp$</eval>
 </drilldown>
0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎02-17-2020 01:44 PM

Can you please post more of your XML? Are you trying to set some tokens based upon the result of a search, or when an input changes?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...