Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

[BUG] Built in token $message$ for <fail> Search Event Handler not working

niketn
Legend
‎08-04-2019 02:31 AM

I tested the behavior of <fail> Search Event Handler in version 7.2.x and 7.3.x and the default available token $message$ does not seem to work as it prints [object Object] instead of printing actual Error Message. Refer to Splunk Documentation for $message$ token behavior: https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#fail

This broken behavior of $message$ means we can not show custom search error message if required.

Please try the following run anywhere example with a search query that is made to fail with the use of map command.

alt text

Following is Simple XML code:

<dashboard>
  <label>Dashboard to Test fail message token</label>
  <row>
    <panel>
      <title>Fail Message: $tokFailMessage$</title>
      <table>
        <search>
          <query>| makeresults
| map search="| makeresults
| eval token=$$tokenThatDoesNotExistForFailingQuery$$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <fail>
            <set token="tokFailMessage">$message$</set>
          </fail>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

PS: I checked through Simple XML JS extension and Splunk JS stack that token actually has string [object Object] value rather than the object itself. Which implies even through JS we can not parse the Object to fetch required Error message.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Tags (2)
Preview file
19 KB
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2019 06:14 AM

Thank you for sharing your bug report with the Community. We appreciate knowing about this, but can't fix it. You need to file a support case with Splunk so they know about the problem and can address it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

niketn
Legend
‎08-04-2019 09:49 AM

Thanks @richgalloway I have opened a case for Splunk Team. The post here is for anyone who has figured out a workaround. We need to display custom error messages depending on the error that occurs when a search runs under certain circumstances.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...