Re: "condition match" tokens

a1eX · ‎03-27-2021

Hello,

I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token.

However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong?

<dashboard>
 <label>Titel</label>
  <row>
    <panel depends="$alwaysHideCSS$">
      <single>
        <search>
          <query>
            index=someSearch| rename searchResult AS XX
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="myToken">$result.XX$</set>
          </done>
        </search>
        <drilldown>
          <condition match="5==5">
            <set token="test1">a</set>
            <set token="test2">b</set>
            <set token="test3">c</set>
          </condition>
          <condition match="1==9">
            <set token="test1">d</set>
            <set token="test2">e</set>
            <set token="test3">f</set>
          </condition>
          <condition match="2==3">
            <set token="test1">g</set>
            <set token="test2">h</set>
            <set token="test3">i</set>
          </condition>
        </drilldown>
      </single>
    </panel>
  </row>
[... ] <!-- here I want to use those test-tokens but they never get set -->
</dashboard>

The token "myToken" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.

ITWhisperer · ‎03-27-2021

It doesn't look like you are doing anything wrong - the tokens should be set when you click on the single

"condition match" tokens

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

"condition match" tokens

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR