topic Re: Why is setting a token from result not working? in Splunk Search

Why is setting a token from result not working?

snoobzilla — Thu, 23 Feb 2017 21:16:25 GMT

Any ideas on why KER_RESULT would not be working? Tail end of base query...

Updated code...

 <search id="events">
    <query>$environment$ $bloomfilter$ `Errors` 
| eval KER_EDIT=KER
| search Client_Impact!="Normal_Dialog" $searchType$$searchField$
| table _time ErrorLogID KER
    </query>
    <earliest>$timerange.earliest$</earliest>
    <latest>$timerange.latest$</latest>
    <done>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
        </condition>
     </done>
     <finalized>
        <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
     </finalized>
 </search>

There is a single result and a KER value but the KER_RESULT token keeps coming back as $result.KER$ even though singleresult token is returning true.

Thanks

Re: Why is setting a token from result not working?

somesoni2 — Thu, 23 Feb 2017 21:35:28 GMT

Try this <condition match=" 'job.resultCount' == 1"> instead of <condition match="$job.resultCount$ == 1">.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/tokens#Search_tokens_for_dynamic_display_example

Re: Why is setting a token from result not working?

lquinn — Thu, 23 Feb 2017 22:30:44 GMT

I just tried your code above and it worked perfectly for me ... Is there any other part of your dashboard that could be affecting this?

Re: Why is setting a token from result not working?

DalJeanis — Fri, 24 Feb 2017 03:50:26 GMT

interface note - if you add a line with <query> at the front of the code you posted, all the colors will straighten out so that only the literals are green.

Re: Why is setting a token from result not working?

niketn — Fri, 24 Feb 2017 06:37:43 GMT

Can you try couple of things?

1) Print a table with required fields in your base search | table _time ErrorLogID KER (also run independently to confirm that only one row exist and data is getting populated. You should not get No results found)
2) Changing match condition from$job.resultCount$==1 to $job.resultCount$!=0. This way there will just be two condition blocks i.e. eith results are returned or not returned.
3) I am not sure if the following will help but changing Search Event Handler from done to progress

Re: Why is setting a token from result not working?

snoobzilla — Fri, 24 Feb 2017 13:06:27 GMT

I added more of surrounding code... it is a base search and there is a finalized event handler at the end but pulling that did not fix.

Re: Why is setting a token from result not working?

snoobzilla — Fri, 24 Feb 2017 13:11:30 GMT

@niketnilay Updated with more of surrounding code. Tried your suggestions, no improvement.

Re: Why is setting a token from result not working?

snoobzilla — Fri, 24 Feb 2017 13:12:57 GMT

Thanks, no change. Updated with more of surrounding code.

Re: Why is setting a token from result not working?

jkat54 — Fri, 24 Feb 2017 13:58:15 GMT

You should post the whole dashboard code IMHO.

Re: Why is setting a token from result not working?

snoobzilla — Fri, 24 Feb 2017 14:17:03 GMT

@jkat54 a bit of a pain to sanitize from internal references... may resort to that eventually.

Re: Why is setting a token from result not working?

niketn — Fri, 24 Feb 2017 15:19:59 GMT

Which version of Splunk are you using?

Re: Why is setting a token from result not working?

snoobzilla — Fri, 24 Feb 2017 15:22:19 GMT

Enterprise 6.4.1

Re: Why is setting a token from result not working?

niketn — Fri, 24 Feb 2017 16:45:02 GMT

Strange result.field token should be available in preview and finalized event for Splunk 6.4.1.
Can you please confirm if you are using query like the one below? It should either hit the first block or second block...

<preview>
     <condition match="'job.resultCount' == 0">
       <set token="runDuration">$job.runDuration$</set>
       <unset token="singleresult"></unset>
       <unset token="KER"></unset>
       <set token="test">NoResults</set>
     </condition>
     <condition>
       <set token="KER">$result.KER$</set>
       <set token="singleresult">true</set>
       <set token="runDuration">$job.runDuration$</set>
       <set token="test">ResultsFound</set>
     </condition>
  </preview>

I have also added test token... Can you print to confirm which block is being hit?

Re: Why is setting a token from result not working?

snoobzilla — Fri, 24 Feb 2017 17:54:19 GMT

Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.

Finalized vs above...

    <finalized>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
     </finalized>

I thought I had tried this.

Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.

Re: Why is setting a token from result not working?

niketn — Fri, 24 Feb 2017 19:33:54 GMT

Cheers everyone!!!

@snoobzilla ...You can mark your own previous comment as the answer!

Re: Why is setting a token from result not working?

woodcock — Sat, 25 Mar 2017 10:30:15 GMT

If you do not know whom to credit then go back to each answer and comment that assisted you and upvote (yes, you can upvote comments; go ahead and try on this one)!