Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tokens flicking to $TOKEN$ and back to value when using a basesearch

robertlynch2020
Motivator
‎07-15-2021 07:04 AM

HI

I am displaying a token that is refreshing every 10 seconds - but now that I have added a base search the token is flicking to $result.TIME$ on the screen and then back to the value.

How do I use a base search and not have the token flick?

I have put both examples below one working(not base search) and one not working.

I have tried to change finalized to done - but nothing changed. We can see in the image one working and one displaying the token (only for 1 second until the search is finished, but it doe not look nice)

robertlynch2020_0-1626357684779.png

 

 

 

 

 

<search base="basesearch_MAIN">
    <!-- Displays the last time pack that has entered SPLUNK - THis need to be update to use the base search off the main search -->
    <query>| rename _time as TIME | eval TIME=strftime(TIME,"%m/%d/%y %H:%M:%S")
| table TIME  | tail 1</query>
     <finalized>
      <set token="Token_TIME_OF_LAST_DATA">$result.TIME$</set>
   <finalized>
  </search>


NO BASE SEARCH - This does not jump on the screen

 <search>
   
    <query>| mstats max("mx.process.cpu.utilization") as cpuPerc WHERE "index"="metrics_test" AND mx.env=MONITORING_MVP span=10s | rename _time as TIME | eval TIME=strftime(TIME,"%m/%d/%y %H:%M:%S")
| table TIME  | tail 1</query>
    <earliest>-1m</earliest>
    <latest>now</latest>
    <finalized>
      <set token="Token_TIME_OF_LAST_DATA1">$result.TIME$</set>
    </finalized>
    <refresh>10s</refresh>
  </search>

 

 

 

  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2021 09:32 AM

Try

    <progress>
      <condition match=" $job.resultCount$ == 1">
        <set token="Token_TIME_OF_LAST_DATA1">$result.TIME$</set>
      </condition>
    </progress>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎07-19-2021 06:52 AM

Hi - Thanks for the answer.

I did not try your answer as I was able to go with the accepted solution above.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2021 09:32 AM

Try

    <progress>
      <condition match=" $job.resultCount$ == 1">
        <set token="Token_TIME_OF_LAST_DATA1">$result.TIME$</set>
      </condition>
    </progress>
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎07-19-2021 06:48 AM

Wonderfull thanks -  🙂  It works for a TIME token - cheers

Also below is another example of how to do it

<search base="basesearch_MAIN">
    <!-- FInd out how many process are being monitored -->
    <query>| stats count </query>
    <progress>
	<condition match=" $result.count$ != 0">
      <set token="Token_no_of_Process">$result.count$</set>
    </condition>
	</progress>
  </search>

 

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 09:09 AM

@robertlynch2020 

I'm not sure whether it is possible to manage token in xml like your requirement with base search. But I have done it with use of JS. May be if you want to check it.

<dashboard script="a.js">
  <label>Sample Dashboard</label>
  <search id="base_search">
    <query>| makeresults count=1000000 </query>
    <refresh>10s</refresh>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <title>$Token_TIME_OF_LAST_DATA$</title>
      <table>
        <search id="child_id" base="base_search">
          <query>| rename _time as TIME | eval TIME=strftime(TIME,"%m/%d/%y %H:%M:%S") | table TIME | head 1</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

a.js

 

require([
    'underscore',
    'jquery',
    'splunkjs/mvc',
    'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc) {
    var mySearch = mvc.Components.get('child_id');
    var tokens = mvc.Components.get("default");
    tokens.set("Token_TIME_OF_LAST_DATA", " ");
    mySearch.on('search:done', function(properties) {
        var myResults = mySearch.data("results"); // get the data from that search
        myResults.on("data", function() {
            resultArray = myResults.data().rows;
            tokens.set("Token_TIME_OF_LAST_DATA", resultArray[0]);
        })
    });
});

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...