Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search event handler not being executed...

lyndac
Contributor
‎10-20-2017 11:29 AM

I am using Splunk Enterprise 6.4.7.

Created a dashboard panel. I want to include the number of results in the panel title. I'm trying to use the job.resultCount token in the event handler. I've also tried to use

This is my panel:

<form>
  <row>
    <panel>
      <table>
        <title>$numSrchResults$ Results Returned</title>
        <search>
          <query>index=foo | table _time, name, bar, foobar</query>
          <earliest>$timer_tok.earliest$</earliest>
          <latest>$timer_tok.latest$</latest>
          <done>
              <condition>
                 <eval token="numSrchResults">'job.resultCount'</eval>
              </condition>
          </done>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

My search returns about 35 results in the table. However, the token $numSrchResults$ never gets set. I've tried several different things: $job.resultCount$, 'job.resultCount', using <set></set> instead of <eval></eval>, specifying a match condition, using finalize instead of done. None of these work. Any ideas?

0 Karma
Reply

niketn
Legend
‎10-31-2017 05:45 AM

@lyndac the search event handlers to access job tokens and results tokens were changed to<progress> and <done> from Splunk Enterprise 6.5 onward. Till version 6.4 they were <preview> and <finalized>. Try your dashboard with <finalized> instead of <done> and hopefully it should work. http://docs.splunk.com/Documentation/Splunk/6.4.7/Viz/EventHandlerReference#finalized

 <finalized>
     <set token="numSrchResults">$job.resultCount$</set>
 </finalized>

Please try out and confirm.

PS: <preview> and <finalized> have been removed since 6.5. So, you will have to reconsider moving back to <progress> or <done> when you plan your next upgrade.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

lyndac
Contributor
‎10-31-2017 06:17 AM

I've tried , , even
I've tried using $job.resultCount$ and 'job.resultCount'
None are working.

0 Karma
Reply

niketn
Legend
‎10-31-2017 10:32 AM

Or just to test whether our event handlers are being invoked... It should hit one of the conditions either default to 0 or show some value (may be null in your case if it does not work 😞 )

  <finalized>
      <condition match="$job.resultCount$==0">
           <set token="numSrchResults">0</set>
      </condition>
      <condition>
           <set token="numSrchResults">$job.resultCount$</set>
      </condition>
  </finalized>

Try something similar with <preview> instead of <finalized>
So many hit and trials would be frustrating so it is better you open up a support case with Splunk to have them look at the issues you are facing. Ideally this should have worked.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-24-2017 05:41 AM

Hi lyndac,

You can use $job.resultPreviewCount$ for preview count.

Can you please try below XML??

<form>
  <fieldset submitButton="false">
    <input type="time" token="timer_tok">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>$numSrchResults$ Results Returned</title>
        <search>
           <query>index=foo | table _time, name, bar, foobar</query>
          <earliest>$timer_tok.earliest$</earliest>
          <latest>$timer_tok.latest$</latest>
          <progress>
              <set token="numSrchResults">$job.resultPreviewCount$</set>
          </progress>
          <cancelled>
              <unset token="numSrchResults"></unset>
          </cancelled>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

lyndac
Contributor
‎10-30-2017 11:09 AM

I tried this and still do not get the result count displayed. My code was working when using version 6.4.3, but when we upgraded to 6.4.7, it stopped working. When I look at the generated HTML in the debugger, I do not see a function that would handle the search event. It's like the SimpleXML is not being correctly translated to HTML

0 Karma
Reply

lyndac
Contributor
‎10-31-2017 05:22 AM

Full XML is below.

   <form>
      <fieldset submitButton="false">
           <input type="time" token="timer_tok">
              <default>
                  <earliest>@d</earliest>
                  <latest>now</latest>
              </default>
           </input>
       </fieldset>
       <row>
         <panel>
           <table>
             <title>$numSrchResults$ Results Returned</title>
             <search>
               <query>index=foo | table _time, name, bar, foobar</query>
               <earliest>$timer_tok.earliest$</earliest>
               <latest>$timer_tok.latest$</latest>
               <done>
                      <set token="numSrchResults">$job.resultCount$</set>
               </done>
             </search>
             <option name="rowNumbers">true</option>
             <option name="drilldown">none</option>
           </table>
         </panel>
       </row>
     </form>

FWIW -- I converted the dashboard to HTML and added code to handle the done event, and that works. However, I should NOT have to convert to HTML just for that work. This is the code that I had to add:

search1.on("search:done", function(properties) {
setToken("numresults", properties.content.resultCount);
});

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-04-2017 10:14 AM

Hi
Does it work for you?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-30-2017 07:43 PM

Hi
Can you please share full XML ( hide original search and confidential values) ??

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2017 02:05 AM

Hi lyndac,
in my dashboard I always use to put between search tags:

<progress>
     <set token="my_token">$job.resultCount$</set>
</progress>
<cancelled>
     <unset token="my_token"></unset>
</cancelled>

an it runs!

Bye.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...