I tested the behavior of <fail>
Search Event Handler in version 7.2.x
and 7.3.x
and the default available token $message$
does not seem to work as it prints [object Object]
instead of printing actual Error Message. Refer to Splunk Documentation for $message$
token behavior: https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#fail
This broken behavior of $message$
means we can not show custom search error message if required.
Please try the following run anywhere example with a search query that is made to fail with the use of map command.
Following is Simple XML code:
<dashboard>
<label>Dashboard to Test fail message token</label>
<row>
<panel>
<title>Fail Message: $tokFailMessage$</title>
<table>
<search>
<query>| makeresults
| map search="| makeresults
| eval token=$$tokenThatDoesNotExistForFailingQuery$$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<fail>
<set token="tokFailMessage">$message$</set>
</fail>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</dashboard>
PS: I checked through Simple XML JS extension and Splunk JS stack that token actually has string [object Object]
value rather than the object itself. Which implies even through JS we can not parse the Object to fetch required Error message.
Thank you for sharing your bug report with the Community. We appreciate knowing about this, but can't fix it. You need to file a support case with Splunk so they know about the problem and can address it.
Thanks @richgalloway I have opened a case for Splunk Team. The post here is for anyone who has figured out a workaround. We need to display custom error messages depending on the error that occurs when a search runs under certain circumstances.