Dashboards & Visualizations

How to set a variable to value of job.search in dashboard?

scknogas
Path Finder

Okay, I'm trying to do the following in a Dashboard with 8+ tables.

When a search is returned with a table with "No Results", instead of a large table with nothing in it, display a smaller panel that says "No Results found. Click to open search". Thus the user can drill into the search that has no results to see if they want to tune the query/search differently.

In order to do this, I have merged a few different things into one...

First, I'm using the pattern suggested in "Search Tokens for Dynamic Display Example" ( I lack karma to have links to http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Viz/Tokens#Search_tokens_for_dynamic_display_... ) to make the HTML appear when the Table has no results, by setting and unsetting the $TBL_HIDE$ variable.

Second, I am also using the pattern suggested in "Can I display the status of a dashboard for when it is running/completed?" ( I lack karma to have links to https://answers.splunk.com/answers/481799/can-i-display-the-status-of-a-dashboard-for-when-i.html ) to create an HTML message to display the search status as the variable $MSG$, since I'm hiding the table until it generates results, and if it's running for a long time and not displaying anything, people could stop the query before it was completed thinking there was no results...

Both of these are working, but... I'm also trying to also retrieve the value of $job.search$ to put into the HTML link. But, this keeps failing...

So, I'm using the following as a test...

<dashboard>
  <label>Test</label>
    <row>
      <panel>
      <html depends="$MSG$"><div style="text-align:center"><h3>$MSG$</h3></div></html>
      <html><h3>DEBUG- The search query is $QUERY$</h3></html> 
      <html depends="$TBL_HIDE$">No Results Found <a href="$QUERY$" target="_blank">Click to open search</a></html>
      <table rejects="$TBL_HIDE$">
        <search>
          <query>index=main "look for things"</query>
          <earliest>-1h</earliest>
          <latest>now</latest>
          <error><set token="MSG">Search encountered an error</set></error>
          <fail><set token="MSG">Search failed</set></fail>
          <cancelled><set token="MSG">Search was cancelled</set></cancelled>
          <preview>
            <set token="QUERY">$job.search$</set>  
            <eval token="percent_complete1">round($job.doneProgress$*100,2)</eval>
            <set token="MSG">Search is running with $percent_complete1$% done.</set>
          </preview>
          <progress>
            <condition match="'job.resultCount' == 0"><set token="TBL_HIDE">true</set></condition>
            <condition><unset token="TBL_HIDE"></unset></condition>
          </progress>
          <done><unset token="MSG"></unset></done>
          <finalized><unset token="MSG"></unset></finalized>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

So, inside the <preview> I've tried...

<set token="QUERY">$job.search$</set> <!-- Sets "QUERY" to the string "$job.search$" and does not expand the variable's contents. -->
<eval token="QUERY">$job.search$</eval> <!-- Value of "QUERY" is 'null' and thus the name of "QUERY" variable is printed and not the value -->
<eval token="QUERY">printf("%s", $job.search$)</eval><!-- Value of "QUERY" is 'null' and thus the name of "QUERY" variable is printed and not the value  -->

I even tried adding chars before and after to the printf as debugging to make a value get set...

<eval token="QUERY">printf("B|%s|E", $job.search$)</eval><!-- Value of "QUERY" is 'null' and thus the name of "QUERY" variable is printed and not the value -->

So, I'm stumped here. What am I doing wrong today?

1 Solution

elliotproebstel
Champion

I can't tell you why that isn't working, because the docs read to me like that approach should be fine. But I tested this workaround, and it might be a fix for you until you get a more comprehensive answer. Try using this to set the QUERY token instead:

<set token="QUERY">search?sid=$job.sid$</set>

That, in the context of the dashboard code you posted, works for me.

View solution in original post

elliotproebstel
Champion

I can't tell you why that isn't working, because the docs read to me like that approach should be fine. But I tested this workaround, and it might be a fix for you until you get a more comprehensive answer. Try using this to set the QUERY token instead:

<set token="QUERY">search?sid=$job.sid$</set>

That, in the context of the dashboard code you posted, works for me.

scknogas
Path Finder

Yup, that works (MOSTLY)... 🙂

I'm glad that my original approach seems like it "should" work to you too. That way I'm not 100% insane, or at least I'll have company in the asylum. 😄

The MOSTLY comment refers to the fact that if you use a base search, then the $job.sid$ value for the subsequent post processing searches only point to the base search contents. 😞

But, if you don't use base searches, then this will work! So, as a current iteration of my dashboard, I've removed the base search optimizations and am using this solution.

Thanks!

0 Karma

scknogas
Path Finder

Dohh!!!! It works (ALMOST!)

If I'm doing a base search for performance, the job.sid only shows that query...

<dashboard>
    <search id="All_About_The_Base">
    <query>index=main "This is the base search"</query>
    <earliest>-1h</earliest>
    <latest>now</latest>
  </search>
  <label>SCK_Test</label>
    <row>
      <panel>
      <html depends="$MSG$"><div style="text-align:center"><h3>$MSG$</h3></div></html>
      <html depends="$table1_hide$"><div style="text-align:center">No Results Found <a href="$QUERY$" target="_blank">Click to open search</a></div>
      </html>
      <table rejects="$table1_hide$">
        <search>
          <query>index=main "look for things"</query>
          <earliest>-1h</earliest>
          <latest>now</latest>
          <error><set token="MSG">Search encountered an error</set></error>
          <fail><set token="MSG">Search failed</set></fail>
          <cancelled><set token="MSG">Search was cancelled</set></cancelled>
          <preview>
            <set token="QUERY">search?sid=$job.sid$</set>
            <eval token="percent_complete1">round($job.doneProgress$*100,2)</eval>
            <set token="MSG">Search is running with $percent_complete1$% done.</set>
          </preview>
          <progress>
            <condition match="'job.resultCount' &gt; 0"><unset token="table1_hide"></unset></condition>
            <condition><set token="table1_hide">true</set></condition>
          </progress>
          <done><unset token="MSG"></unset></done>
          <finalized><unset token="MSG"></unset></finalized>
        </search>
      </table>
    </panel>
  </row>
      <row>
      <panel>
      <html depends="$MSG2$"><div style="text-align:center"><h3>$MSG2$</h3></div></html>
      <html depends="$table2_hide$"><div style="text-align:center">No Results Found <a href="$QUERY2$" target="_blank">Click to open search</a></div>
      </html>
      <table rejects="$table2_hide$">
        <search base="All_About_The_Base">
          <query>search "This is not the base search"</query>
          <error><set token="MSG">Search encountered an error</set></error>
          <fail><set token="MSG">Search failed</set></fail>
          <cancelled><set token="MSG">Search was cancelled</set></cancelled>
          <preview>
            <set token="QUERY2">search?sid=$job.sid$</set>
            <eval token="percent_complete2">round($job.doneProgress$*100,2)</eval>
            <set token="MSG2">Search is running with $percent_complete1$% done.</set>
          </preview>
          <progress>
            <condition match="'job.resultCount' &gt; 0"><unset token="table2_hide"></unset></condition>
            <condition><set token="table2_hide">true</set></condition>
          </progress>
          <done><unset token="MSG2"></unset></done>
          <finalized><unset token="MSG2"></unset></finalized>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

Thoughts?

elliotproebstel
Champion

Ahh, man. And here I thought I was so clever with this sid workaround. I've been playing with this and trying to find another solution, but no dice yet.

Here's what I think is happening with the base/post-process search. Splunk is being too smart by half. Since the base search is not returning any results, it never bothers to execute the post-process search and just optimizes it away. If I massage this dashboard a little so that it generates actual results in my environment, then the $job.sid$ approach leads to a query that has both the base search and the post-process query. Of course, that's of no help to you in your actual use case, since you only want this if there are no results...! So I'll keep playing a little and let you know if I find anything that works.

0 Karma

scknogas
Path Finder

What you suggest makes sense. But, when I have a base search that does return values which is then run through two separate post-process searches (one with results, one without) the outcome of $job.sid$ is the same...

It always points to the base search.

What I've done so far is made a version without the base search, in order to get the functionality desired.

0 Karma

elliotproebstel
Champion

Ahh, ok. I didn't really test deeply enough to fully validate, so I wasn't sure.

I played around for a bit with the navigation elements at the bottom of a dashboard panel to see if I could figure out where the search option in that menu is finding the full search query, but alas. No luck.

0 Karma

scknogas
Path Finder

Yeah, think this is a question for Splunk support. 🙂

But, you have given me a 90% solution! So, consider that a win.

0 Karma

scknogas
Path Finder

I know that I will need to URL encode the value of $job.search$ or $QUERY$ by using the URL format with the "|u" syntax, as shown in http://docs.splunk.com/Documentation/Splunk/7.1.0/Viz/tokens#Syntax_to_consume_tokens but, if I can't even retrieve the value of $job.search$ then the point is moot.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...