Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't get a dashboard panel to show using panel depends

randy_moore
Path Finder
‎12-29-2017 07:31 AM

I can't get this simple dashboard panel to show. Followed other published examples but nothing appears.

If I do "Edit Panel" I can see that the query does work as the "Message" variable does appear in the panel. However in normal/non-edit mode there is no panel.

Using splunk enterprise V 6.4.1

here is the xml

<dashboard>
  <label>Test panel showing</label>
  <description>Grrr why doesnt this work?</description>
  <row>
    <panel depends="$panel_show$">
      <single>
        <title>Test</title>
        <search id="your_search">
          <query>index=abc sourcetype=palo-alert   message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <progress>
            <condition match="'result.Count' >0">
              <set token="panel_show">true</set>
            </condition>
            <condition>
              <unset token="panel_show"></unset>
            </condition>
          </progress>
        </search>
        <option name="refresh.auto.interval">10</option>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="linkView">search</option>
      </single>
    </panel>
  </row>
 </dashboard>
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-29-2017 12:00 PM

Actually, this is closer to what you had, and seems to work with a few changes:

<dashboard>
   <label>Test panel showing</label>
   <description>Grrr why doesnt this work?</description>
   <row>
     <panel depends="$panel_show$">
       <single>
         <title>Test</title>
         <search>
           <query>index=abc sourcetype=palo-alert   message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
           <done>
            <condition match="'job.resultCount' == 0">
              <unset token="panel_show"></unset>
            </condition>
            <condition match="'job.resultCount' == 1">
              <set token="panel_show">true</set>
            </condition>
          </done>
         </search>
         <option name="drilldown">none</option>
         <option name="colorBy">value</option>
         <option name="colorMode">none</option>
         <option name="numberPrecision">0</option>
         <option name="showSparkline">1</option>
         <option name="showTrendIndicator">1</option>
         <option name="trendColorInterpretation">standard</option>
         <option name="trendDisplayMode">absolute</option>
         <option name="unitPosition">after</option>
         <option name="useColors">0</option>
         <option name="useThousandSeparators">1</option>
       </single>
     </panel>
   </row>
  </dashboard>

One issue you were running into is you were checking the value of the Count field, but that field wasn't returned by your search (it was removed by the table command). You can use job.resultCount for the condition instead.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-29-2017 12:00 PM

Actually, this is closer to what you had, and seems to work with a few changes:

<dashboard>
   <label>Test panel showing</label>
   <description>Grrr why doesnt this work?</description>
   <row>
     <panel depends="$panel_show$">
       <single>
         <title>Test</title>
         <search>
           <query>index=abc sourcetype=palo-alert   message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
           <done>
            <condition match="'job.resultCount' == 0">
              <unset token="panel_show"></unset>
            </condition>
            <condition match="'job.resultCount' == 1">
              <set token="panel_show">true</set>
            </condition>
          </done>
         </search>
         <option name="drilldown">none</option>
         <option name="colorBy">value</option>
         <option name="colorMode">none</option>
         <option name="numberPrecision">0</option>
         <option name="showSparkline">1</option>
         <option name="showTrendIndicator">1</option>
         <option name="trendColorInterpretation">standard</option>
         <option name="trendDisplayMode">absolute</option>
         <option name="unitPosition">after</option>
         <option name="useColors">0</option>
         <option name="useThousandSeparators">1</option>
       </single>
     </panel>
   </row>
  </dashboard>

One issue you were running into is you were checking the value of the Count field, but that field wasn't returned by your search (it was removed by the table command). You can use job.resultCount for the condition instead.

Reply
Solved! Jump to solution

randy_moore
Path Finder
‎12-29-2017 02:27 PM

That worked! I was racking my brain for hours trying out different ways to get it to work.

Now I will dissect the changes you made and see what HOW that made them work. Many thanks!

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎12-29-2017 11:49 AM

I'd suggest moving your search to a base search, which other panels can make use of results from, then have two other panels (always hidden) set/unset. There is probably a better way, but this at least seems to work.

<dashboard>
  <label>Test panel showing</label>
  <description>Grrr why doesnt this work?</description>
  <search id="base">
    <query>index=abc sourcetype=palo-alert   message="*suspend*" | stats count as Count</query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel depends="$never$">
      <single>
        <title>Test</title>
        <search base="base">
          <query>where Count<=5</query>
          <done>
            <condition match="'job.resultCount' == 1">
              <unset token="panel_show"></unset>
            </condition>
          </done>
        </search>
      </single>
    </panel>
    <panel depends="$never$">
      <single>
        <title>Test</title>
        <search base="base">
          <query>where Count>5</query>
          <done>
            <condition match="'job.resultCount' == 1">
              <set token="panel_show">true</set>
            </condition>
          </done>
         </search>
       </single>
     </panel>
     <panel depends="$panel_show$">
       <single>
         <title>Test</title>
         <search base="base">
           <query>eval Message="There have been "+Count+" timeouts" | table Message</query>
         </search>
         <option name="drilldown">none</option>
         <option name="colorBy">value</option>
         <option name="colorMode">none</option>
         <option name="numberPrecision">0</option>
         <option name="showSparkline">1</option>
         <option name="showTrendIndicator">1</option>
         <option name="trendColorInterpretation">standard</option>
         <option name="trendDisplayMode">absolute</option>
         <option name="unitPosition">after</option>
         <option name="useColors">0</option>
         <option name="useThousandSeparators">1</option>
       </single>
     </panel>
   </row>
  </dashboard>
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-29-2017 07:53 AM

Hi @randy_moore,

In Condition, you have used Count field.

like..

<condition match="'result.Count' >0">

And in your search, the only Message is in the final field list.

<query>index=abc sourcetype=palo-alert   message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>

So Can you please add Count after Message and try again?

Thanks

0 Karma
Reply
Solved! Jump to solution

randy_moore
Path Finder
‎12-29-2017 10:36 AM

Hi @kamlesh_vaghela

I think you meant put Count after Message on the table command at the end of the query. I just did. 

<query>index=abc sourcetype=palo-alert   message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message Count </query>

Nothing changed. Panel is still not appearing

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...