Solved: Token eval Question

timm7474 · ‎05-17-2021

I'm trying to check the value of a token and if it is equal to "X" change it to an * but if it is equal to anything else, leave the token alone. I'm trying something like this but not sure it is possible.

<eval token='my_token'> if("X", "*", $my_token$)</eval>

</drilldown>

Thanks.

timm7474 · ‎05-18-2021

This worked in the XML. Thank you!

View solution in original post

ITWhisperer · ‎05-17-2021

Try:

<drilldown>
<eval token="my_token"> if($my_token$="X", "*", $my_token$)</eval>
<link target="_blank">search?q= my search...my_field=$my_token$.....blah blah blah...  </link>
</drilldown>

timm7474 · ‎05-17-2021

Thanks for the quick reply, still no luck. To add a bit more context, I am using click.name2 to grab column names to use in my search. But when click.name2 is equal to the far right column name, I want to change the token to * since that name is a label for that column and not an actual searchable column name like the rest of the columns (if that makes sense). I'm also using an eval in the search to get the column names and I tried adding this eval to the bottom under the search before the </drilldown> with still no luck.

ITWhisperer · ‎05-17-2021

So are you doing something like this?

<drilldown>
  <eval token="my_token">if($click.name2$="last","*",$click.name2$)</eval>
  <link target="_blank">search?q= my search...my_field=$my_token|u$.....blah blah blah...  </link>
</drilldown>

timm7474 · ‎05-18-2021

This worked in the XML. Thank you!

Token eval Question

eval

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...