I can't get this simple dashboard panel to show. Followed other published examples but nothing appears.
If I do "Edit Panel" I can see that the query does work as the "Message" variable does appear in the panel. However in normal/non-edit mode there is no panel.
Using splunk enterprise V 6.4.1
here is the xml
<dashboard>
<label>Test panel showing</label>
<description>Grrr why doesnt this work?</description>
<row>
<panel depends="$panel_show$">
<single>
<title>Test</title>
<search id="your_search">
<query>index=abc sourcetype=palo-alert message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<progress>
<condition match="'result.Count' >0">
<set token="panel_show">true</set>
</condition>
<condition>
<unset token="panel_show"></unset>
</condition>
</progress>
</search>
<option name="refresh.auto.interval">10</option>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
</single>
</panel>
</row>
</dashboard>
Actually, this is closer to what you had, and seems to work with a few changes:
<dashboard>
<label>Test panel showing</label>
<description>Grrr why doesnt this work?</description>
<row>
<panel depends="$panel_show$">
<single>
<title>Test</title>
<search>
<query>index=abc sourcetype=palo-alert message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
<done>
<condition match="'job.resultCount' == 0">
<unset token="panel_show"></unset>
</condition>
<condition match="'job.resultCount' == 1">
<set token="panel_show">true</set>
</condition>
</done>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
</dashboard>
One issue you were running into is you were checking the value of the Count
field, but that field wasn't returned by your search (it was removed by the table
command). You can use job.resultCount
for the condition instead.
Actually, this is closer to what you had, and seems to work with a few changes:
<dashboard>
<label>Test panel showing</label>
<description>Grrr why doesnt this work?</description>
<row>
<panel depends="$panel_show$">
<single>
<title>Test</title>
<search>
<query>index=abc sourcetype=palo-alert message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
<done>
<condition match="'job.resultCount' == 0">
<unset token="panel_show"></unset>
</condition>
<condition match="'job.resultCount' == 1">
<set token="panel_show">true</set>
</condition>
</done>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
</dashboard>
One issue you were running into is you were checking the value of the Count
field, but that field wasn't returned by your search (it was removed by the table
command). You can use job.resultCount
for the condition instead.
That worked! I was racking my brain for hours trying out different ways to get it to work.
Now I will dissect the changes you made and see what HOW that made them work. Many thanks!
I'd suggest moving your search to a base search, which other panels can make use of results from, then have two other panels (always hidden) set/unset. There is probably a better way, but this at least seems to work.
<dashboard>
<label>Test panel showing</label>
<description>Grrr why doesnt this work?</description>
<search id="base">
<query>index=abc sourcetype=palo-alert message="*suspend*" | stats count as Count</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel depends="$never$">
<single>
<title>Test</title>
<search base="base">
<query>where Count<=5</query>
<done>
<condition match="'job.resultCount' == 1">
<unset token="panel_show"></unset>
</condition>
</done>
</search>
</single>
</panel>
<panel depends="$never$">
<single>
<title>Test</title>
<search base="base">
<query>where Count>5</query>
<done>
<condition match="'job.resultCount' == 1">
<set token="panel_show">true</set>
</condition>
</done>
</search>
</single>
</panel>
<panel depends="$panel_show$">
<single>
<title>Test</title>
<search base="base">
<query>eval Message="There have been "+Count+" timeouts" | table Message</query>
</search>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
</dashboard>
Hi @randy_moore,
In Condition, you have used Count
field.
like..
<condition match="'result.Count' >0">
And in your search, the only Message
is in the final field list.
<query>index=abc sourcetype=palo-alert message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message</query>
So Can you please add Count
after Message
and try again?
Thanks
Hi @kamlesh_vaghela
I think you meant put Count after Message on the table command at the end of the query. I just did.
<query>index=abc sourcetype=palo-alert message="*suspend*" | stats count as Count | where Count>5 | eval Message="There have been "+Count+" timeouts" | table Message Count </query>
Nothing changed. Panel is still not appearing