Solved: How to create a new token by editing the value of ...

evelenke · ‎04-18-2016

Hi Splunkers,

I have pie chart with 2 values for the field state: "Active" and "Inactive" appended by percentage and count values (e.g. "Active 300(80%)". I need to drill down to a new window where tokens "Active", "Inactive" (without numeric values) will generate search strings.

How should I correctly achieve this with Simple XML?
I've tried to form a new token via eval token=, but with no success.

sundareshr · ‎04-19-2016

Try this

        <drilldown>
          <eval token="state">if(match($click.value$, "Not_Active"), "InActive", "Active")</eval>
        </drilldown>

View solution in original post

sundareshr · ‎04-19-2016

Try this

        <drilldown>
          <eval token="state">if(match($click.value$, "Not_Active"), "InActive", "Active")</eval>
        </drilldown>

evelenke · ‎04-20-2016

So here's actual part

if(match('click.value', "Not_Active.*"), "Not_Active", "Active")

<![CDATA[
/app/myapp/nextpage?form.state=$state$
]]>

Thank you , sundareshr!

evelenke · ‎04-19-2016

Hi, sundareshr
As I understand the only way is to somehow manipulate with inherited token values in a new window before further operations.
So that I need to click on Not_Active\Active zone
and in new window the prefix with numbers should be cut-off before query will be activated. The resulting static values (Active\Not_Active) will just populate new searches ( $state$)

Is it possible?

sundareshr · ‎04-18-2016

Unfortunately, the only thing you can condition on in a pie chart is name of the field you clicked on, which is always the same (count). What you could do, is the manipulate the values in the query using rex or replace(). If you need help with either, share your search and someone in this community can assist

evelenke · ‎04-19-2016

Hi, sundareshr
As I understand the only way is to somehow manipulate with inherited token values in a new window before further operations.
So that I need to click on Not_Active\Active zone ![alt text][1]
and in new window the prefix with numbers should be cut-off before query will be activated. The resulting static values (Active\Not_Active) will just populate new searches ( $state$)
![alt text][2]
Is it possible?

Something like this
http://s15.postimg.org/aetp3qiob/Splunk1.png

sundareshr · ‎04-19-2016

In you dashboard you have two panels. 1 with the pie chart. The other with a, lets say a table. The query for a the table will look something like this (this is psuedo code, will not work as-is).

.... | eval x=$state$ | rex field=x "(?<state>Active|Not_Active)" | ...

evelenke · ‎04-19-2016

The token from pie goes to different destination dashboard and it plays there only 1 role - name for a token value (like in picture from my previous post). This two values (Active|Not_Active) contains two different operations with lookup tables (| inputlookup..) . So the idea is that a search query in destinations dashboard is just $state$ and depending of a state clicked it must call search related to one of these states. Unfortunately there is no way to equalize something with (Active|Not_Active) or perfrom any eval like() function. In other words I need to click "Active 300(80%)" --> form.state=$click.value$ --> drilldown --> somewhere in the middle cut dynamic tail ) -- > in new dashboard the dropdown input with token $state$ and 2 choices Active=somesearch1, Not_Active=somesearch2.

How to create a new token by editing the value of a previous token in Simple XML?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...