Splunk Search

Simple XML - Token inside eval if

Path Finder


I have an eval if condition in my dashboard for my drilldown:

<eval token="query">if('category'=="Total",  "search ageGroup=*", where ageGroup='group_token')</eval>

I pass this line of search to a query on another dashboard. If the user clicks on 'Total' on the table, it will search everything for all age groups. If the user clicks on a particular age group, it will need to search the ageGroup in $group_token$.

This isn't working fine. How do I pass group_token to the search string to the other dashboard?

0 Karma

Esteemed Legend

Don't do it this way. Assuming that your table events have a field called ageGroup, create a field called _group_token by adding this to the end of your existing search: | eval _group_token = coalesce(ageGroup, "*") (assuming that your Total field does not have a value for ageGroup). Then use standard drilldown with ... ageGroup = $click._group_token. Check out the Dashboard Examples app for drilldown details.

0 Karma


If I understand you correctly, you're trying to pass the value of a token on dashboardA as a GET argument in the URL string of dashboardB, correct?

If so, edit the drilldown targets like this:

drilldown editor screenshot

Of course, this presumes dashboardB can do something with URL parameters 🙂

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...