Dashboards & Visualizations

How to condition a token unset based on time stamps

vshakur
Path Finder

I have the following XML code:

 <input type="dropdown" token="team" searchWhenChanged="true">
    <search>
      <query>.....</query>
    </search>
    <change>
      <unset token="some_token"></unset>
    </change>
 <input>

Even when I don't change the value of the input the change (the unset of some_token) occurs continuously until the search of the query is completely finished. The search itself can take a long time since it spans over a period of some weeks.

I'm trying to add a condition that would trigger the change (the unset of some_token) only at the moment the search process of the query began, without having to wait for the whole process to finish.

I tried condition match="_time=earliest" but that didn't work.

Please help me.

Thanks,
Sam

Tags (3)
0 Karma
1 Solution

From the description provided you should be coding the event handler of search rather than change event handler of dropdown.

 <search>
   <query>.....</query>
   <progress>
      <condition match="$job.resultCount==0$">
             <!-- What do you want to do if search returns no result? It should go here-->
      </condition>
      <condition>
          <unset token="some_token"></unset>
      </condition>
   </progress>
 </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

From the description provided you should be coding the event handler of search rather than change event handler of dropdown.

 <search>
   <query>.....</query>
   <progress>
      <condition match="$job.resultCount==0$">
             <!-- What do you want to do if search returns no result? It should go here-->
      </condition>
      <condition>
          <unset token="some_token"></unset>
      </condition>
   </progress>
 </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vshakur
Path Finder

Is job.resultCount a default field in Splunk or do I have to replace it with fields of my own?
Can I leave the content of the first condition empty?

0 Karma

$job.resultCount$ is default token available for Search Job. So you can use as it is. You can leave content of first Condition empty however, you can also keep just noe condition if you dont need to perform anything for no results:

   <condition match="$job.resultCount!=0$">
       <unset token="some_token"></unset>
   </condition>

OR

   <condition match="$job.resultCount>0$">
       <unset token="some_token"></unset>
   </condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

@vshakur, please accept the answer to mark this question as answered. If you require further assistance, do let us know.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vshakur
Path Finder

I just have one more question:
Does $job.resultCount$ changes at real time as search process continues or is its value obtained at the end of the search?

0 Karma

@vshakur, that actually depends upon which search event handler you are using. If you use <progress>, it will update as the search run. If you just want to display the final value after the search completes you can use <done> instead.

Read about Search Event Handlers in the Splunk Documentation to understand this concept along with examples.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

@vshakur, you might have to add more details on what are you trying to achieve.
Do you need to pick just the $time_picker.latest$ token?

What do you imply by "I would like the unset of some_token to occur only for the fist timestamp of the search"

Can you provide example with data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vshakur
Path Finder

I edited my question.
I just want the change to occur at the moment I choose a different value in the dropdown input. Right now the change occurs long after I picked a different value in the dropdown input because it takes a long time for the search process to finish, the searching process itself triggers the change.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...