Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[BUG] Built in token $message$ for <fail> Search Event Handler not working

niketn
Legend
‎08-04-2019 02:31 AM

I tested the behavior of <fail> Search Event Handler in version 7.2.x and 7.3.x and the default available token $message$ does not seem to work as it prints [object Object] instead of printing actual Error Message. Refer to Splunk Documentation for $message$ token behavior: https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#fail

This broken behavior of $message$ means we can not show custom search error message if required.

Please try the following run anywhere example with a search query that is made to fail with the use of map command.

alt text

Following is Simple XML code:

<dashboard>
  <label>Dashboard to Test fail message token</label>
  <row>
    <panel>
      <title>Fail Message: $tokFailMessage$</title>
      <table>
        <search>
          <query>| makeresults
| map search="| makeresults
| eval token=$$tokenThatDoesNotExistForFailingQuery$$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <fail>
            <set token="tokFailMessage">$message$</set>
          </fail>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

PS: I checked through Simple XML JS extension and Splunk JS stack that token actually has string [object Object] value rather than the object itself. Which implies even through JS we can not parse the Object to fetch required Error message.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Tags (2)
Preview file
1 KB
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2019 06:14 AM

Thank you for sharing your bug report with the Community. We appreciate knowing about this, but can't fix it. You need to file a support case with Splunk so they know about the problem and can address it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

niketn
Legend
‎08-04-2019 09:49 AM

Thanks @richgalloway I have opened a case for Splunk Team. The post here is for anyone who has figured out a workaround. We need to display custom error messages depending on the error that occurs when a search runs under certain circumstances.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...