@ITWhisperer,I have used stats and i was able to match the data.

I want to do one more implementation. I want to se t token based on the availability of Info.runtime_data{}. For every event there will not be Info.runtime_data{}. I want to set a token if Info.runtime_data{} is present in the event of Info.Title, if not present i want to unset that token. I have tried it in the search query using if condition. But i am not able to implement it in the dashboard.

  <search>
    <query>
     index="abc" sourcetype="abc"  Info.Title="$Title$"
     |spath output=Runtime_data path=Info.runtime_data
     | eval has_runtime = if(isnotnull(Runtime_data), "Yes", "No")
      | table _time, has_runtime
    </query>
    <done>
      <condition match="has_runtime=Yes">
        <set token="tok_runtime">true</set>
      </condition>
      <condition match="has_runtime=No">
        <unset token="tok_runtime"></unset>
      </condition>
    </done>
  </search>

This is my code, i am not sure the Condition match is correct or not. But im not able to set or unset the token. Please suggest me anything.

As @ITWhisperer you only have access to the first result of the table in the <done> clause, but assuming you only have a single result then you can set the token based on that very simply using <eval>

<done>
  <eval token="tok_runtime">if($result.has_runtime$="Yes", "true", null())</eval>
</done>

If you have multiple results, then this would work

  <search>
    <query>
     index="abc" sourcetype="abc"  Info.Title="$Title$"
     |spath output=Runtime_data path=Info.runtime_data
     | eval has_runtime = if(isnotnull(Runtime_data), 1, 0)
     | table _time, has_runtime
     | eventstats max(has_runtime) as has_runtime
    </query>
    <done>
      <eval token="tok_runtime">if($result.has_runtime$>0, "true", null())</eval>
    </done>
  </search>

In the done handler, you only have access to the first row of the results, so you would only be able to set a token based on the first result. Is this what you are actually trying to do?

@ITWhisperer, yes im trying to set a token based on the value has_runtime. Since i want to show some charts only if that particular data is present.  For this i am trying to create a token so that i can use this to show or hide the charts.

In that case you could rework your search so that it has either zero or 1 row depending on whether the condition is met, and set your token based on the number of results returned.

@ITWhisperer  , i considered 1,0 and and put condition like this. But still i am not able to set the token. Is this implementation correct?

  <done>
      <condition match="match(has_runtime,&quot;1&quot;)">
        <set token="tok_runtime">true</set>
      </condition>
      <condition match="match(has_runtime,&quot;0&quot;)">
        <unset token="tok_runtime"></unset>
      </condition>
    </done>

You have not shown anything that indicates that the search has the value you are seeking on the first row of your results. Please share your search and follow @bowesmana's suggestion about which token to use to retrieve the results.

@anooshacno it's not, you need to look at the $result.has_runtime$ token - see my example