Dashboards & Visualizations

Hide Row When Post-Process Search Returns Zero Results

RickCurry
Explorer

I want to hide a row of two panels when the search results are zero. I found an example of this in the doc (http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens) and the search they use is an embedded search for the panel (they are hiding the panel but the code should work at the row level as well). However, in my dashboard, I am using a Base Search then using a Post-Processing Search on each of the two panels as the row is reporting a single value count of the data being examined and the other panel is displaying a timeline of that same data. It appears that the test for ‘job.resultCount’ uses the value from the Base Search and not the Post-Processing Search. Although our Post-Processing Search has no results (count=0), the row displays because the Base Search has events returned; but the Post-Process Search filters them out.

Is there a way to make this work?

To help, here are some code snippets to give you an idea of what I am doing:

Base Search

access_failures | transform_query_to_stats_v2
$search_timerange.earliest$
$search_timerange.latest$

This search pulls the “core” data that will be used in the dashboard’s panels.
Panel with Post-Process Search

<row depends="$row1_show$">
<panel>
  <title>Total Access Violations</title>
    <single>
      <title>Access Failures Exceeding Threshold Limit</title>
      <search base="access_violations">
        <query>`access_violations_rpt_lvl0`</query>
        <done>
          <condition match="'job.resultCount' > 0">
            <set token="row1_show">true</set>
          </condition>
          <condition>
            <unset token="row1_show"/>
          </condition>
        </done>
      </search>

The XML goes on to define the single value display attributes followed by the panel definition for the timeline display of the data. The Post-Processing Search for the second panel uses the same Base Search but uses “timechart” in its macro to generate the timeline. As these searches are all based on the same data, if one doesn’t provide data, the other one will not as well.

I also saw in the Event Handler Reference doc (http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#Search_event_handlers) where the syntax for the element implies that an eval expression can be used in the “condition match” option but there is no example provided. It also indicates that there are two tokens available for use in the “match”: job.property and result.field. I tried using the result.field option but it did not work. The macro used in the panels renames the generated ‘count’ field and specifying either of these two fields does not provide the correct results. In a “real’ search, if I want to use the renamed field later in the search, I must embed the field’s name in double-quote marks but that is not an option in the XML; it throws off the structure of the elements and options and the code won’t save. Using the original field name (count) or the rename value (Violations) without the quote marks doesn’t give the needed result in hiding the row.

Any suggestions on how to make this work?

0 Karma
1 Solution

niketn
Legend

Your query seems to be correct single quote or dollar both can be used for condition match block. Can you please try the following?
Also print $row1_show$ somewhere in your form just to confirm whether you are actually setting the token to null and true or not.

If you have used post-processing in your query, most likely you are sending stats and stats will default aggregates like count and distinct_count to 0, hence instead of setting null results, the query will actually send one result back with the aggregate defaulted to 0 instead of null. So please verify this by printing $row1_show$ either as part of Panel title or else under html panel.

     <done>
       <condition match="$job.resultCount$ == 0">
           <unset token="row1_show"/>
       </condition>
       <condition>
           <set token="row1_show">true</set>
       </condition>
     </done>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

Your query seems to be correct single quote or dollar both can be used for condition match block. Can you please try the following?
Also print $row1_show$ somewhere in your form just to confirm whether you are actually setting the token to null and true or not.

If you have used post-processing in your query, most likely you are sending stats and stats will default aggregates like count and distinct_count to 0, hence instead of setting null results, the query will actually send one result back with the aggregate defaulted to 0 instead of null. So please verify this by printing $row1_show$ either as part of Panel title or else under html panel.

     <done>
       <condition match="$job.resultCount$ == 0">
           <unset token="row1_show"/>
       </condition>
       <condition>
           <set token="row1_show">true</set>
       </condition>
     </done>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

RickCurry
Explorer

Thank you @niketnilay for your response. I do find it odd to reverse the testing as you indicate and I see how it will work but it does not in my situation. The problem is not in how I have this coded but in how the code itself works. It is in that aspect that I think the failure is occurring. It seems that the condition match code looks at the Base search and not at the results of a Post-Process search. There may be something else going on as well as I changed one of my dashboard panels to use an embedded search and it stills shows the row when the end result of the search has a single value of zero.

Here is my embedded search:

tag=database tag=query action=failure | `find_NULL_fields` | stats count by _time, event_time, event_id, severity, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_schema, db_user, sql_command, object_type, error_code, action, query | bin _time span=24h | stats count by _time, db_user | where count > 14 | stats count as Violations 

The idea is to collect the core events, bundle them into 24hr buckets and count the # events, then keep only those totals where the total is 15 or more then count how many of those are found. If I narrow my search to a specific time frame I will get 11 "core" events which does not provide sufficient total to provide a count over 14 so the end result for my single-value panel is zero. But there are 11 events returned so the $job.resultsCount$ parameter is not zero and the row displays.

I tried using the $result.count$ parameter which is supposed to allow me to use a value from the results set but that does not work at all and the $row1_show$ token is not generated. I get the same results if I use $result.Violations$ or $result.'Violations'$. This further deepens my suspicion that the condition match does not quite work as I am expecting.

Thank you again for your suggestion/ideas, although it doesn't solve the problem it does provide insight in looking at the problem in a different way. I appreciate that.

0 Karma

niketn
Legend

Since you have used count it will be defaulted to 0 when there are no violations, hence $job.resultCount$ will have one row with the value of 0. Null search swapping through token will work when the search returns no results. For example if you add condition to search for Violations greater than 0 you will get null result or no results found. On top of the same you can use a combination of set/unset and depends and rejects to display/hide section of your dashboard when there are no Violations.

tag=database tag=query action=failure | `find_NULL_fields` | stats count by _time, event_time, event_id, severity, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_schema, db_user, sql_command, object_type, error_code, action, query | bin _time span=24h | stats count by _time, db_user | where count > 14 | stats count as Violations | search Violations>0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

RickCurry
Explorer

@niketnilay, you have hit it straight on and you have enlightened me in the distinction of getting a value of zero for a return and no results being returned. This is where I was not making the connection. I now see where the "$job.resultCount$" token is returning how many events are returned from the search and not the result field "count" value. This is now working as wanted. Thank you for sticking with me on this and providing the clarity needed for this and future work like this.

0 Karma

RickCurry
Explorer

The Base Search code did not paste correctly, here is another attempt at getting the actual code included:

  <search id="access_violations">
    <query>`access_failures` | `transform_query_to_stats_v2`</query>
    <earliest>$search_timerange.earliest$</earliest>
    <latest>$search_timerange.latest$</latest>
</search>
0 Karma

RickCurry
Explorer

For additional clarity on this -- the base search run within the macro produce data when it is available and the post-process search will also, went it is available. I am trying to hide rows when the post-process search filters out all of the results from the base search. It appears that the job properties and "result.{field}" options use information only from the base search.

Can I at least get confirmation on this?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...