Splunk Search

Correct syntax for condition

greggz
Communicator

Im trying to perform a condition based on 2 varibles, but I can't seem to get right the expression. I've been trying to chain the conditions, but it doesnt work. What's the equivalent of this:

<change>

            <condition value="volume"> 
                 <condition match=" $token$ != 1">
                    <set token="volume-details1">true</set>
                    <unset token="resptime-details1"></unset>
                    <unset token="error-details1"></unset>
                    <unset token="gctime-details1"></unset>
                    <unset token="thread-details1"></unset>
                    <unset token="connpool-details1"></unset>
                    <unset token="cpu-details1"></unset>
                    <unset token="memory-details1"></unset>
                    <unset token="disk-details1"></unset>
              </condition>
           </condition>

</change>

 <init>
    <set token="token">0</set>
</init>
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @greggz,

As your condition is nested can you please try below conditions in your condition code?

 <condition match=" $value$=&quot;volume&quot; AND  $token$ != 1">

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @greggz,

As your condition is nested can you please try below conditions in your condition code?

 <condition match=" $value$=&quot;volume&quot; AND  $token$ != 1">

Thanks

0 Karma

greggz
Communicator

<condition match=" $token$ != 1"> .. This line works fine if it's not inside the Outer condition. So, it's not from that Im sure

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

oooh..

$token$ is not a input token.?... Can you please share your sample xml ?

0 Karma

greggz
Communicator

No. Token is a "global" token.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

okay.
I think I missed nested condition tag. Can you please try this?

<condition match=" $value$=&quot;volume&quot; AND  $token$ != 1">
0 Karma

greggz
Communicator

Marvelous. It works! Thanks. Update answer for me to mark it as correct. thanks

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Answer updated
Please accept and upvote any comment which helped you.
Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...