Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to condition a token unset based on time stamps

vshakur
Path Finder
‎08-16-2017 10:56 PM

I have the following XML code:

 <input type="dropdown" token="team" searchWhenChanged="true">
    <search>
      <query>.....</query>
    </search>
    <change>
      <unset token="some_token"></unset>
    </change>
 <input>

Even when I don't change the value of the input the change (the unset of some_token) occurs continuously until the search of the query is completely finished. The search itself can take a long time since it spans over a period of some weeks.

I'm trying to add a condition that would trigger the change (the unset of some_token) only at the moment the search process of the query began, without having to wait for the whole process to finish.

I tried condition match="_time=earliest" but that didn't work.

Please help me.

Thanks,
Sam

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2017 11:28 PM

From the description provided you should be coding the event handler of search rather than change event handler of dropdown.

 <search>
   <query>.....</query>
   <progress>
      <condition match="$job.resultCount==0$">
             <!-- What do you want to do if search returns no result? It should go here-->
      </condition>
      <condition>
          <unset token="some_token"></unset>
      </condition>
   </progress>
 </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2017 11:28 PM

From the description provided you should be coding the event handler of search rather than change event handler of dropdown.

 <search>
   <query>.....</query>
   <progress>
      <condition match="$job.resultCount==0$">
             <!-- What do you want to do if search returns no result? It should go here-->
      </condition>
      <condition>
          <unset token="some_token"></unset>
      </condition>
   </progress>
 </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-16-2017 11:36 PM

Is job.resultCount a default field in Splunk or do I have to replace it with fields of my own?
Can I leave the content of the first condition empty?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-17-2017 04:59 AM

$job.resultCount$ is default token available for Search Job. So you can use as it is. You can leave content of first Condition empty however, you can also keep just noe condition if you dont need to perform anything for no results:

   <condition match="$job.resultCount!=0$">
       <unset token="some_token"></unset>
   </condition>

OR

   <condition match="$job.resultCount>0$">
       <unset token="some_token"></unset>
   </condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-19-2017 10:54 PM

@vshakur, please accept the answer to mark this question as answered. If you require further assistance, do let us know.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-20-2017 09:06 AM

I just have one more question:
Does $job.resultCount$ changes at real time as search process continues or is its value obtained at the end of the search?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-20-2017 09:12 AM

@vshakur, that actually depends upon which search event handler you are using. If you use <progress>, it will update as the search run. If you just want to display the final value after the search completes you can use <done> instead.

Read about Search Event Handlers in the Splunk Documentation to understand this concept along with examples.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-16-2017 11:00 PM

@vshakur, you might have to add more details on what are you trying to achieve.
Do you need to pick just the $time_picker.latest$ token?

What do you imply by "I would like the unset of some_token to occur only for the fist timestamp of the search"

Can you provide example with data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-16-2017 11:25 PM

I edited my question.
I just want the change to occur at the moment I choose a different value in the dropdown input. Right now the change occurs long after I picked a different value in the dropdown input because it takes a long time for the search process to finish, the searching process itself triggers the change.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...