Solved: problem with 'condition match'

gerbert · ‎03-27-2021

Hello,

I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token.
However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong?

<dashboard>
  <label>Titel</label>
  <row>
    <panel depends="$alwaysHideCSS$">
      <single>
        <search>
          <query>
            index=someSearch| rename searchResult AS XX
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="testtest">$result.XX$</set>
          </done>
        </search>
        <drilldown>
          <condition match="5==5">
            <set token="test1">X5</set>
            <set token="test2">a</set>
            <set token="test3">b</set>
          </condition>
          <condition match="1==9">
            <set token="test1">a</set>
            <set token="test2">X2</set>
            <set token="test3">b</set>
          </condition>
          <condition match="2==3">
            <set token="test1">a</set>
            <set token="test2">b</set>
            <set token="test3">X3</set>
          </condition>
        </drilldown>
      </single>
    </panel>
  </row>
[... ] <!-- here I want to use those test-tokens but they never get set -->
</dashboard>

The token "testtest" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.

ITWhisperer · ‎03-27-2021

<form theme="light">
  <label>...</label>
  <search id="xyz">
    <query>index=...</query>
    <earliest>-7d@h</earliest>
    <latest>@h</latest>
    <done>
      <condition>
        <set token="blah">blah</set>
      </condition>
    </done>
  </search>
  <init>
    <set token="abc">true</set>
  </init>
  <fieldset submitButton="false"></fieldset>
  <row>

View solution in original post

ITWhisperer · ‎03-27-2021

Perhaps a silly question, but you are clicking on the single, right?

gerbert · ‎03-27-2021

Oh, no. I wasn't. Thanks! Now it set's the tokens correctly but is it possible to do this automatically without having to click anything. Like in an <init> </init> environment. If so could you give me an example of how you would do it?

On a side note: is there a way to delete your own community posts? Earlier there was a problem with the splunk community servers I think, which lead to me posting five different threads with the same topic.

ITWhisperer · ‎03-27-2021

Look for this dropdown menu at the top of your post

You may be able to remove the post from there

gerbert · ‎03-27-2021

Just to clarify I don't even need/want the <single>. I just added it because otherwise I couldn't use the drilldown with the different conditions.
I want to conduct a search (automatically as soon as the dashboard is loaded), set a token with the search result as a value and then depending on that value I want to set a bunch of other tokens.

ITWhisperer · ‎03-27-2021

<form theme="light">
  <label>...</label>
  <search id="xyz">
    <query>index=...</query>
    <earliest>-7d@h</earliest>
    <latest>@h</latest>
    <done>
      <condition>
        <set token="blah">blah</set>
      </condition>
    </done>
  </search>
  <init>
    <set token="abc">true</set>
  </init>
  <fieldset submitButton="false"></fieldset>
  <row>

ITWhisperer · ‎03-27-2021

If you need to set tokens to different values depending on the results, you can use things like

<eval token="anothertoken">if(a,b,c)</eval>

problem with 'condition match'

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation