I try to use condition match=" "
to check the value of the "range" field in my search and display a table according to icon status.
<panel>
<html>
<h2>Title</h2>
</html>
<search>
<query>myquery | rangemap field=Status low=0-1 high2=2-3 severe=4-5 default=low</query>
<earliest>-24h</earliest>
<latest>now</latest>
<preview>
<set token="range2">$result.range$</set>
</preview>
<condition match="'result.range' == high2">
<set token="show_tab1">true</set>
<unset token="show_tab1"></unset>
</condition>
<condition match="'result.range' == severe">
<set token="show_tab2">true</set>
<unset token="show_tab2"></unset>
</condition>
</search>
<html>
<div class="custom-result-value icon-only $range2$"></div>
</html>
<table depends="$show_tab1$">
<search>
<query>mytable1query</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</table>
<table depends="$show_tab2$">
<search>
<query>mytable2query</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
Can someone help me to understand why I can not get the value of the two tokens created by condition match=" "
?
try using this block where you have preview
<done>
<condition match="'result.range' == high2">
<set token="range2">$result.range$</set>
<set token="show_tab1">true</set>
<unset token="show_tab1"></unset>
</condition>
<condition match="'result.range' == severe">
<set token="range2">$result.range$</set>
<set token="show_tab2">true</set>
<unset token="show_tab2"></unset>
</condition>
</done>
try using this block where you have preview
<done>
<condition match="'result.range' == high2">
<set token="range2">$result.range$</set>
<set token="show_tab1">true</set>
<unset token="show_tab1"></unset>
</condition>
<condition match="'result.range' == severe">
<set token="range2">$result.range$</set>
<set token="show_tab2">true</set>
<unset token="show_tab2"></unset>
</condition>
</done>
Thank you very much. It works correctly.
I do not know the <done>
. What is its function and where can I find documentation?
Sorry rjthibod, finally it was not good. I forgot to change the name of the token in my table. The two tokens are not evaluated with condition match = ""
. I do not understand why.
I am afraid I don't know what you mean. Can you restate the issue?
To see if the tokens "showtab1" and showtab2 "are calculated with condition match = ""
, I check the display of the value of the tokens" range2 "and" showtab1 "just after the display of the icon state. it appears that the token "showtab" does not display "true" and the table requested when $range2$ = high2.
Here is my code:
<done>
<condition match="'range2' == high2">
<set token="showtab1">true</set>
<unset token="show_tab1"></unset>
</condition>
<condition match="'range2' == severe">
<set token="showtab2">true</set>
<unset token="show_tab2"></unset>
</condition>
</done>
</search>
<html>
<div class="custom-result-value icon-only $range2$"></div>
<li>$showtab1$</li>
<li>$range2$</li>
</html>
<table depends="$showtab1$">
<search>
<query>my tab query</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</table>
I'm more clear in my explanation?
which version of splunk are you using? if 6.3 or 6.4, try using finalized
instead of done
. If 6.5, then you should be using done
and the issue is something else.
My Splunk version is 6.3.1 and I replaced done
with finalized
but the result does not change. I have no more idea.
Are you sure the search is even running? Looking at your XML you have the search
element directly as a child to a panel
element. You should be putting the search
under a view object like table
.
Try wrapping your search
inside of a table
element, and put depends
on the table
to hide it. Something like this.
<panel>
<html>
<h2>Title</h2>
</html>
<table depends="$hidden$">
<search>
<query>myquery | rangemap field=Status low=0-1 high2=2-3 severe=4-5 default=low</query>
<earliest>-24h</earliest>
<latest>now</latest>
<finalize>
<condition match="'result.range' == high2">
<set token="range2">$result.range$</set>
<set token="show_tab1">true</set>
<unset token="show_tab1"></unset>
</condition>
<condition match="'result.range' == severe">
<set token="range2">$result.range$</set>
<set token="show_tab2">true</set>
<unset token="show_tab2"></unset>
</condition>
</finalized
</search>
</table>
<html>
<div class="custom-result-value icon-only $range2$"></div>
</html>
<table depends="$show_tab1$">
<search>
<query>mytable1query</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</table>
<table depends="$show_tab2$">
<search>
<query>mytable2query</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</table>
</panel>
I tried your proposal by inserting the search
in a table
but the result is still not conclusive.
What about wrapping the condition terms in html quotes like this
<condition match="'result.range' == "high2"">
...
<condition match="'result.range' == "severe"">
...
Yes, that is right and without inserting into table. I had already tried this but I think I had to make a syntax error. Thank you for your help and I accept your answer.
I have a similar issue. from the url parameter i have an element that is set.
form.Response_Resolution= Response Met %
I want to apply a condition and set additional tokens that can be used in search. I have use the below code snippet and it is not working fine. Any pointers might help
<condition match="'form.Response_Resolution' == Response Met %">
<set token="Response_Met">Y</set>
<set token="Resolution_Met">*</set>
</condition>
<condition match="'form.Response_Resolution' == Resolution Met %">
<set token="Resolution_Met">Y</set>
<set token="Response_Met">*</set>
</condition>
You are missing quotes around the strings and you have to use the html entity for the % character.
<condition match="'form.Response_Resolution' == "Response Met "">
<set token="Response_Met">Y</set>
<set token="Resolution_Met">*</set>
</condition>
<condition match="'form.Response_Resolution' == "Resolution Met "">
<set token="Resolution_Met">Y</set>
<set token="Response_Met">*</set>
</condition>
For % it does not take , I used % and it worked. Thanks
These conditions are set in the init tag of the dashboard / form and I am trying to use these tokens in search.
But the search is always waiting for an input. Is there anything else I need to take care of so that it is used in the search
is "form.Response_Resolution" the name of the token to which this condition
block belongs?
It would help if you shared all of the XML for the input and/or your search.
<condition match="'form.Response_Resolution' == "Response Met %"">
<set token="Response_Met" prefix=""" suffix=""">Y</set>
<set token="Resolution_Met" prefix=""" suffix=""">*</set>
</condition>
<condition match="'form.Response_Resolution' == "Resolution Met %"">
<set token="Resolution_Met" prefix=""" suffix=""">Y</set>
<set token="Response_Met" prefix=""" suffix=""">*</set>
</condition>
Ticket Details
<panel>
<html>
<div class="tab_logo">
<div class="aiam-links">
<a href="./help" class="help"> </a>
</div>
<div class="accenture_logo">
TICKET DETAILS
</div>
</div>
</html>
</panel>
<panel>
<table>
<title>Ticket Details</title>
<search>
<query>| pivot app_model app_model_search count(ifact_model_search) AS "count(ifact_model_search)" SPLITROW Ticket_ID FILTER Computed_Severity is "*" FILTER Resp_SLA_Met is $Response_Met$ FILTER Resolution_SLA_Met is $Resolution_Met$ FILTER Created_Month is "*"</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
Replace 'form.Response_Resolution' with 'value'
Also, please include the full XML definition for the input.
There is no input field. All I have in the dashboard is a panel with the search and the filter criteria that needs to have these token values. One thing that I noticed is, if i edit the same page after it is loaded, the search results are getting loaded. I believe the search is triggered before the token is set.
Then where is the condition
block you posted supposedly going? where is "form.Response_Resolution" defined?
What version of Splunk are you using?