I am running my query and say total statistics returned is 3,00,000( returned 3,00,000 results ) and the search is completed.
How can i show the same statistics value and search completed in my dashboard as a indicator?
hi @vikashperiwal,
You can use done element to set token with result count when search is completed/finalised. And use html to show the status like below.
<form>
<init>
<set token="statusMessage">Search is running...</set>
</init>
<label>Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<html>
<h1>$statusMessage$</h1>
</html>
</row>
<row>
<panel>
<table>
<title>Internal index data</title>
<search>
<query>index=_internal sourcetype=splunkd | table sourcetype source host</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<done>
<set token="statusMessage">Search is completed. Event count: $job.resultCount$.</set>
</done>
</search>
<option name="refresh.display">progressbar</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
hi @vikashperiwal,
You can use done element to set token with result count when search is completed/finalised. And use html to show the status like below.
<form>
<init>
<set token="statusMessage">Search is running...</set>
</init>
<label>Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<html>
<h1>$statusMessage$</h1>
</html>
</row>
<row>
<panel>
<table>
<title>Internal index data</title>
<search>
<query>index=_internal sourcetype=splunkd | table sourcetype source host</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<done>
<set token="statusMessage">Search is completed. Event count: $job.resultCount$.</set>
</done>
</search>
<option name="refresh.display">progressbar</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
@manjunathmeti ... thanks, this is what i wanted.....
Since one of the answer is already posted I will just list the two possible approach i.e. using predefined job tokens and Splunk REST api to fetch job details.
Following is run anywhere example of both approach:
<dashboard>
<label>Search Job Properties</label>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| top component</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<done>
<set token="tokSid">$job.sid$</set>
<set token="tokEventCount">$job.eventCount$</set>
<set token="tokscanCount">$job.scanCount$</set>
<set token="tokrunDuration">$job.runDuration$</set>
</done>
</search>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<div>Option 1: Using <a href="https://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector#Search_job_properties" target="_blank">job predefined tokens:</a>
</div>
<div>This search has completed and has returned $tokEventCount$ results by scanning $tokscanCount$ events in $tokrunDuration$ seconds</div>
<div>(SID: $tokSid$)</div>
</html>
</panel>
</row>
<row>
<panel>
<html>
<div>Option 2: Using REST API <a href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D" target="_blank">search/jobs/{searchid}</a></div>
</html>
<table>
<search>
<query>| rest /servicesNS/-/-/search/jobs/$tokSid$
| fields scanCount resultCount runDuration
| eval result="This search has completed and has returned ".resultCount." results by scanning ".scanCount." events in ".runDuration." seconds;(SID: $tokSid$)"
| fields result
| makemv result delim=";"</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
hey @niketnilay ... its you again, i could just got the solution from one of your post earlier and was about to add that in the comment but thanks i wanted all the three attributes to show.....
This worked for me
<set token="tokEventCount">$job.eventCount$</set>
<set token="tokscanCount">$job.scanCount$</set>
<set token="tokrunDuration">$job.runDuration$</set>
Great! Do read the documentation for all other attributes and REST API for alternative approach. Also up vote the comment/previous answer that helped 🙂
try single value visualization