Splunk Search

"condition match" tokens

a1eX
Observer

Hello,

I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token.

However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong?

 

<dashboard>
 <label>Titel</label>
  <row>
    <panel depends="$alwaysHideCSS$">
      <single>
        <search>
          <query>
            index=someSearch| rename searchResult AS XX
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="myToken">$result.XX$</set>
          </done>
        </search>
        <drilldown>
          <condition match="5==5">
            <set token="test1">a</set>
            <set token="test2">b</set>
            <set token="test3">c</set>
          </condition>
          <condition match="1==9">
            <set token="test1">d</set>
            <set token="test2">e</set>
            <set token="test3">f</set>
          </condition>
          <condition match="2==3">
            <set token="test1">g</set>
            <set token="test2">h</set>
            <set token="test3">i</set>
          </condition>
        </drilldown>
      </single>
    </panel>
  </row>
[... ] <!-- here I want to use those test-tokens but they never get set -->
</dashboard>

 


The token "myToken" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.

Labels (1)
Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It doesn't look like you are doing anything wrong - the tokens should be set when you click on the single

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...