Simple XML - Token inside eval if

dojiepreji · ‎10-17-2019

Hello,

I have an eval if condition in my dashboard for my drilldown:

<eval token="query">if('category'=="Total",  "search ageGroup=*", where ageGroup='group_token')</eval>

I pass this line of search to a query on another dashboard. If the user clicks on 'Total' on the table, it will search everything for all age groups. If the user clicks on a particular age group, it will need to search the ageGroup in $group_token$.

This isn't working fine. How do I pass group_token to the search string to the other dashboard?

woodcock · ‎10-17-2019

Don't do it this way. Assuming that your table events have a field called ageGroup, create a field called _group_token by adding this to the end of your existing search: | eval _group_token = coalesce(ageGroup, "*") (assuming that your Total field does not have a value for ageGroup). Then use standard drilldown with ... ageGroup = $click._group_token. Check out the Dashboard Examples app for drilldown details.

wmyersas · ‎10-17-2019

If I understand you correctly, you're trying to pass the value of a token on dashboardA as a GET argument in the URL string of dashboardB, correct?

If so, edit the drilldown targets like this:

Of course, this presumes dashboardB can do something with URL parameters 🙂

Simple XML - Token inside eval if

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?