Solved: Re: How can I get the value of a token as a search...

tamduong16 · ‎12-05-2017

I have the following xml:

I want to have Name=$unit$ for the line eval token. And will have other conditions to be Name=$campus$ , etc. But I can't seem to find an escape character for splunk to understand that I want to refer to a token instead of a String. I tried 'unit', $unit$, '$unit$'. But all of them don't work. Will I be able to do this with splunk today? If not, What could be a good work around? Thanks!

niketn · ‎12-05-2017

@tamduong16, you can try something like the following:

Option 1: With condition match and set token

        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>

Option 2: With eval to set token

<change>
    <eval token="result">case($value$!="*","Name=\"unit\"")</eval>
</change>

Following is a run anywhere dashboard snippet to test out the same.

  <row>
    <panel>
      <input type="dropdown" token="unit" searchWhenChanged="true">
        <label>Select a unit:</label>
        <choice value="*">All</choice>
        <choice value="UnitA">UnitA</choice>
        <choice value="UnitB">UnitB</choice>
        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>
      </input>      
      <html>
        <div>$unit$ - $result$</div>
      </html>
    </panel>
  </row>

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎12-05-2017

@tamduong16, you can try something like the following:

Option 1: With condition match and set token

        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>

Option 2: With eval to set token

<change>
    <eval token="result">case($value$!="*","Name=\"unit\"")</eval>
</change>

Following is a run anywhere dashboard snippet to test out the same.

  <row>
    <panel>
      <input type="dropdown" token="unit" searchWhenChanged="true">
        <label>Select a unit:</label>
        <choice value="*">All</choice>
        <choice value="UnitA">UnitA</choice>
        <choice value="UnitB">UnitB</choice>
        <change>
          <condition match="value!=&quot;*&quot;">
            <set token="result">Name=&quot;unit&quot;</set>
          </condition>
        </change>
      </input>      
      <html>
        <div>$unit$ - $result$</div>
      </html>
    </panel>
  </row>

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tamduong16 · ‎12-06-2017

Hi niketnilay, Thank you for answering my question. I tried the above but the result always comes out as the string unit. For some reason, Splunk keeps translating it to a string but not my token. Any ideas?

niketn · ‎12-06-2017

@tamduong16, based on your initial query in the question I thought you wanted to default the token $result$ to Name="unit" in case All or "*" is selected and if nothing else is selected it should be unset or null, which was not defined in your question.

Please give examples with data as to what you want the token $result$ to be set when All is selected or when any specific Unit value is selected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tamduong16 · ‎12-06-2017

So the $unit$ token could be anywhere from * to a string like "abc", "cdf123". I have 2 other token name $campus$ and $building$. I want $result$ to be "Name=$campus$$building$*" if $unit$ equal * , and $result$ to be "Name=$unit$" if $unit$ equal something else (for example, "Name=abcd345" when the value of $unit$ is "abcd345"). Thanks!

niketn · ‎12-06-2017

@tamduoung, try the following run anywhere dashboard. I have used init section to mock the campus and building tokens. You can plugin things as per your need.

<form>
  <label>Set token on condition match</label>
  <init>
    <set token="campus">MyCampus</set>
    <set token="building">BuildingA</set>
  </init>
  <fieldset submitButton="false">
  </fieldset>
  <row>
    <panel>
      <input type="dropdown" token="unit" searchWhenChanged="true">
        <label>Select a unit:</label>
        <choice value="*">All</choice>
        <choice value="UnitA">UnitA</choice>
        <choice value="UnitB">UnitB</choice>
        <change>
           <condition match="value!=&quot;*&quot;">
             <set token="result">Name=&quot;$value$&quot;</set>
           </condition>
           <condition>
             <set token="result">Name=&quot;$campus$$building$&quot;</set>
           </condition>
        </change>
      </input>      
      <html>
        <div>$unit$ - $result$</div>
      </html>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How can I get the value of a token as a search eval for another token?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases