Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search event handler not being executed...

lyndac
Contributor
‎10-20-2017 11:29 AM

I am using Splunk Enterprise 6.4.7.

Created a dashboard panel. I want to include the number of results in the panel title. I'm trying to use the job.resultCount token in the event handler. I've also tried to use

This is my panel:

<form>
  <row>
    <panel>
      <table>
        <title>$numSrchResults$ Results Returned</title>
        <search>
          <query>index=foo | table _time, name, bar, foobar</query>
          <earliest>$timer_tok.earliest$</earliest>
          <latest>$timer_tok.latest$</latest>
          <done>
              <condition>
                 <eval token="numSrchResults">'job.resultCount'</eval>
              </condition>
          </done>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

My search returns about 35 results in the table. However, the token $numSrchResults$ never gets set. I've tried several different things: $job.resultCount$, 'job.resultCount', using <set></set> instead of <eval></eval>, specifying a match condition, using finalize instead of done. None of these work. Any ideas?

0 Karma
Reply

niketn
Legend
‎10-31-2017 05:45 AM

@lyndac the search event handlers to access job tokens and results tokens were changed to<progress> and <done> from Splunk Enterprise 6.5 onward. Till version 6.4 they were <preview> and <finalized>. Try your dashboard with <finalized> instead of <done> and hopefully it should work. http://docs.splunk.com/Documentation/Splunk/6.4.7/Viz/EventHandlerReference#finalized

 <finalized>
     <set token="numSrchResults">$job.resultCount$</set>
 </finalized>

Please try out and confirm.

PS: <preview> and <finalized> have been removed since 6.5. So, you will have to reconsider moving back to <progress> or <done> when you plan your next upgrade.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

lyndac
Contributor
‎10-31-2017 06:17 AM

I've tried , , even
I've tried using $job.resultCount$ and 'job.resultCount'
None are working.

0 Karma
Reply

niketn
Legend
‎10-31-2017 10:32 AM

Or just to test whether our event handlers are being invoked... It should hit one of the conditions either default to 0 or show some value (may be null in your case if it does not work 😞 )

  <finalized>
      <condition match="$job.resultCount$==0">
           <set token="numSrchResults">0</set>
      </condition>
      <condition>
           <set token="numSrchResults">$job.resultCount$</set>
      </condition>
  </finalized>

Try something similar with <preview> instead of <finalized>
So many hit and trials would be frustrating so it is better you open up a support case with Splunk to have them look at the issues you are facing. Ideally this should have worked.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-24-2017 05:41 AM

Hi lyndac,

You can use $job.resultPreviewCount$ for preview count.

Can you please try below XML??

<form>
  <fieldset submitButton="false">
    <input type="time" token="timer_tok">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>$numSrchResults$ Results Returned</title>
        <search>
           <query>index=foo | table _time, name, bar, foobar</query>
          <earliest>$timer_tok.earliest$</earliest>
          <latest>$timer_tok.latest$</latest>
          <progress>
              <set token="numSrchResults">$job.resultPreviewCount$</set>
          </progress>
          <cancelled>
              <unset token="numSrchResults"></unset>
          </cancelled>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

lyndac
Contributor
‎10-30-2017 11:09 AM

I tried this and still do not get the result count displayed. My code was working when using version 6.4.3, but when we upgraded to 6.4.7, it stopped working. When I look at the generated HTML in the debugger, I do not see a function that would handle the search event. It's like the SimpleXML is not being correctly translated to HTML

0 Karma
Reply

lyndac
Contributor
‎10-31-2017 05:22 AM

Full XML is below.

   <form>
      <fieldset submitButton="false">
           <input type="time" token="timer_tok">
              <default>
                  <earliest>@d</earliest>
                  <latest>now</latest>
              </default>
           </input>
       </fieldset>
       <row>
         <panel>
           <table>
             <title>$numSrchResults$ Results Returned</title>
             <search>
               <query>index=foo | table _time, name, bar, foobar</query>
               <earliest>$timer_tok.earliest$</earliest>
               <latest>$timer_tok.latest$</latest>
               <done>
                      <set token="numSrchResults">$job.resultCount$</set>
               </done>
             </search>
             <option name="rowNumbers">true</option>
             <option name="drilldown">none</option>
           </table>
         </panel>
       </row>
     </form>

FWIW -- I converted the dashboard to HTML and added code to handle the done event, and that works. However, I should NOT have to convert to HTML just for that work. This is the code that I had to add:

search1.on("search:done", function(properties) {
setToken("numresults", properties.content.resultCount);
});

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-04-2017 10:14 AM

Hi
Does it work for you?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-30-2017 07:43 PM

Hi
Can you please share full XML ( hide original search and confidential values) ??

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2017 02:05 AM

Hi lyndac,
in my dashboard I always use to put between search tags:

<progress>
     <set token="my_token">$job.resultCount$</set>
</progress>
<cancelled>
     <unset token="my_token"></unset>
</cancelled>

an it runs!

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...