Splunk Search

How to create a new token by editing the value of a previous token in Simple XML?

evelenke
Contributor

Hi Splunkers,

I have pie chart with 2 values for the field state: "Active" and "Inactive" appended by percentage and count values (e.g. "Active 300(80%)". I need to drill down to a new window where tokens "Active", "Inactive" (without numeric values) will generate search strings.

How should I correctly achieve this with Simple XML?
I've tried to form a new token via eval token=, but with no success.

0 Karma
1 Solution

sundareshr
Legend

Try this

        <drilldown>
          <eval token="state">if(match($click.value$, "Not_Active"), "InActive", "Active")</eval>
        </drilldown>

View solution in original post

0 Karma

sundareshr
Legend

Try this

        <drilldown>
          <eval token="state">if(match($click.value$, "Not_Active"), "InActive", "Active")</eval>
        </drilldown>
0 Karma

evelenke
Contributor

So here's actual part

if(match('click.value', "Not_Active.*"), "Not_Active", "Active")

<![CDATA[
/app/myapp/nextpage?form.state=$state$
]]>


Thank you , sundareshr!

0 Karma

evelenke
Contributor

Hi, sundareshr
As I understand the only way is to somehow manipulate with inherited token values in a new window before further operations.
So that I need to click on Not_Active\Active zone alt text
and in new window the prefix with numbers should be cut-off before query will be activated. The resulting static values (Active\Not_Active) will just populate new searches ( $state$)
alt text
Is it possible?

0 Karma

sundareshr
Legend

Unfortunately, the only thing you can condition on in a pie chart is name of the field you clicked on, which is always the same (count). What you could do, is the manipulate the values in the query using rex or replace(). If you need help with either, share your search and someone in this community can assist

0 Karma

evelenke
Contributor

Hi, sundareshr
As I understand the only way is to somehow manipulate with inherited token values in a new window before further operations.
So that I need to click on Not_Active\Active zone ![alt text][1]
and in new window the prefix with numbers should be cut-off before query will be activated. The resulting static values (Active\Not_Active) will just populate new searches ( $state$)
![alt text][2]
Is it possible?

Something like this
http://s15.postimg.org/aetp3qiob/Splunk1.png

0 Karma

sundareshr
Legend

In you dashboard you have two panels. 1 with the pie chart. The other with a, lets say a table. The query for a the table will look something like this (this is psuedo code, will not work as-is).

.... | eval x=$state$ | rex field=x "(?<state>Active|Not_Active)" | ... 
0 Karma

evelenke
Contributor

The token from pie goes to different destination dashboard and it plays there only 1 role - name for a token value (like in picture from my previous post). This two values (Active|Not_Active) contains two different operations with lookup tables (| inputlookup..) . So the idea is that a search query in destinations dashboard is just $state$ and depending of a state clicked it must call search related to one of these states. Unfortunately there is no way to equalize something with (Active|Not_Active) or perfrom any eval like() function. In other words I need to click "Active 300(80%)" --> form.state=$click.value$ --> drilldown --> somewhere in the middle cut dynamic tail ) -- > in new dashboard the dropdown input with token $state$ and 2 choices Active=somesearch1, Not_Active=somesearch2.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...