Hello,
I'm sure I am missing something simple, but thought I should ask. I am running a search that does the following:
Fields
- dv_node = The string that holds the hostname of devices
- dv_number = A unique alert ID #
- state = a value of "Processed" when opened and a value of "Closed" when closed
- dv_severity = Clear means the alert has closed
The first part of the search grabs the alerts that are active. The second part of the search grabs the alerts that are closed. If it finds a match between the dv_number of an ACTIVE alert in the 1st search & the dv_number of a CLOSED alert in the 2nd search, eliminate that dv_number from the final count. This is because the logs we process may have many entries along the way, but there should be at LEAST 1 ACTIVE entry and 1 CLOSED entry in the logs (Since, if something alarms, it has to eventually clear right?).
At this point, the only thing that should be showing up are active items. At this point, we run a dedup to eliminate those "many entries along the way" log. Basically, lets ignore everything that came after that initial alert, until a matching closed event is found.
Finally, do a count by dv_node to get a # of active entries per hostname.
<panel>
<title>Active Events (Last 5 minutes)</title>
<table>
<search>
<query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ] | dedup dv_number | stats count by dv_node</query>
<earliest>-5m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<refresh>2m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
I went ahead and tried adjusting it to the following:
<panel>
<title>Active Events (Last 5 minutes)</title>
<table>
<search>
<query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ] | dedup dv_number | stats count by dv_node</query>
<earliest>-5m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<refresh>2m</refresh>
<refreshType>delay</refreshType>
<progress>
<condition match="'job.resultCount' == 0">
<set token="panel_show">false</set>
</condition>
<condition>
<unset token="panel_show"/>
</condition>
</progress>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
Now with all the preamble out of the way, this is what I'm trying to accomplish: If the ACTIVE events are found to be 0, can I make the panel disappear? Essentially, I only want the panel to "appear" on screen when it finds an ACTIVE alert. However, when I run my dashboard I still see the panel, with the "No Results Found".
I hope that makes sense. Thanks in advance.
@kiddsupreme, you would need to read about depends/rejects attribute to understand how they work.
When depends
is used with a visualization element, it shows the element only when token is set (could be any value) and hides when token is unset (is undefined or null).
With rejects
the same behavior is reversed, i.e. when the token is set the element is hidden and when the token is unset the element is displayed.
Refer toNull Search Swapper
example in Splunk Dashboard Examples App or an example with depends in Splunk Docs
In your case since you are setting the token when number of results returned is 0 you should also add the token as rejects which is missing in the code you have provided. Try the following code and confirm:
<panel rejects="$panel_show$">
....
....
....
<progress>
<condition match="$job.resultCount$==0">
<set token="panel_show">true</set>
</condition>
<condition>
<unset token="panel_show"></unset>
</condition>
</progress>
PS: If you are on Splunk 6.5 or higher, you should use <progress>
search event handler. If you are on Splunk 6.4 or previous version you should use <preview>
search event handler instead.
@kiddsupreme, you would need to read about depends/rejects attribute to understand how they work.
When depends
is used with a visualization element, it shows the element only when token is set (could be any value) and hides when token is unset (is undefined or null).
With rejects
the same behavior is reversed, i.e. when the token is set the element is hidden and when the token is unset the element is displayed.
Refer toNull Search Swapper
example in Splunk Dashboard Examples App or an example with depends in Splunk Docs
In your case since you are setting the token when number of results returned is 0 you should also add the token as rejects which is missing in the code you have provided. Try the following code and confirm:
<panel rejects="$panel_show$">
....
....
....
<progress>
<condition match="$job.resultCount$==0">
<set token="panel_show">true</set>
</condition>
<condition>
<unset token="panel_show"></unset>
</condition>
</progress>
PS: If you are on Splunk 6.5 or higher, you should use <progress>
search event handler. If you are on Splunk 6.4 or previous version you should use <preview>
search event handler instead.
Thank you; that is working perfectly. I did however need to remove the after the because Splunk's error message reads: "Unexpected close tag". Once I removed that tag, it worked as expected. I appreciate not only the solution, but your detailed explanation; it definitely helped me visualize how it works. Thanks again!
Okay, apparently I didn't have my XML quite lined up... once I fixed that, the command worked as well.