Splunk Search

How to create a new token by editing the value of a previous token in Simple XML?

Contributor

Hi Splunkers,

I have pie chart with 2 values for the field state: "Active" and "Inactive" appended by percentage and count values (e.g. "Active 300(80%)". I need to drill down to a new window where tokens "Active", "Inactive" (without numeric values) will generate search strings.

How should I correctly achieve this with Simple XML?
I've tried to form a new token via eval token=, but with no success.

0 Karma
1 Solution

Legend

Try this

        <drilldown>
          <eval token="state">if(match($click.value$, "Not_Active"), "InActive", "Active")</eval>
        </drilldown>

View solution in original post

0 Karma

Legend

Try this

        <drilldown>
          <eval token="state">if(match($click.value$, "Not_Active"), "InActive", "Active")</eval>
        </drilldown>

View solution in original post

0 Karma

Contributor

So here's actual part

if(match('click.value', "Not_Active.*"), "Not_Active", "Active")

<![CDATA[
/app/myapp/nextpage?form.state=$state$
]]>


Thank you , sundareshr!

0 Karma

Contributor

Hi, sundareshr
As I understand the only way is to somehow manipulate with inherited token values in a new window before further operations.
So that I need to click on Not_Active\Active zone alt text
and in new window the prefix with numbers should be cut-off before query will be activated. The resulting static values (Active\Not_Active) will just populate new searches ( $state$)
alt text
Is it possible?

0 Karma

Legend

Unfortunately, the only thing you can condition on in a pie chart is name of the field you clicked on, which is always the same (count). What you could do, is the manipulate the values in the query using rex or replace(). If you need help with either, share your search and someone in this community can assist

0 Karma

Contributor

Hi, sundareshr
As I understand the only way is to somehow manipulate with inherited token values in a new window before further operations.
So that I need to click on Not_Active\Active zone ![alt text][1]
and in new window the prefix with numbers should be cut-off before query will be activated. The resulting static values (Active\Not_Active) will just populate new searches ( $state$)
![alt text][2]
Is it possible?

Something like this
http://s15.postimg.org/aetp3qiob/Splunk1.png

0 Karma

Legend

In you dashboard you have two panels. 1 with the pie chart. The other with a, lets say a table. The query for a the table will look something like this (this is psuedo code, will not work as-is).

.... | eval x=$state$ | rex field=x "(?<state>Active|Not_Active)" | ... 
0 Karma

Contributor

The token from pie goes to different destination dashboard and it plays there only 1 role - name for a token value (like in picture from my previous post). This two values (Active|Not_Active) contains two different operations with lookup tables (| inputlookup..) . So the idea is that a search query in destinations dashboard is just $state$ and depending of a state clicked it must call search related to one of these states. Unfortunately there is no way to equalize something with (Active|Not_Active) or perfrom any eval like() function. In other words I need to click "Active 300(80%)" --> form.state=$click.value$ --> drilldown --> somewhere in the middle cut dynamic tail ) -- > in new dashboard the dropdown input with token $state$ and 2 choices Active=somesearch1, Not_Active=somesearch2.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!