Dashboards & Visualizations

Using job.resultCount to add up multiple SingleValue Panels

Coffeebean
Explorer

Hello there,

im trying to work with the job.resultCount token, but I can't really figure it out.
I have this pretty basic search:

Coffeebean_0-1627644739691.png

Its supposed to return the amount of login attempts, grouped by user and with more than 1 attempt per day.
I display the result ( 0 ) as a SingleValue panel in my dashboard. Now I want to sump up this result and results from other SingleValue Panels into a new Panel, to see how many patterns returned at least one result.
To get that information, I use the below code to set a token for each panel, which will be added up later.

<done>
   <condition match="'job.resultCount' = 0">
      <set token="panel_failedLogons">0</set>
   </condition>
   <condition>
      <set token="panel_failedLogons">1</set>
   </condition>
</done>

 Problem is, as the | stats count command creates a row displaying 0 results, its counts as a result and therefor the token is set to 1. I also cannot use job.eventCount as there may be single failed login attempts for a user.

Any ideas how I can bypass/solve this particular problem?

Labels (3)
0 Karma
1 Solution

Coffeebean
Explorer

I should have thought about it five minutes longer. I solved it now.

You can use $result.count$ to access the internal field of the search.

 

<done>
   <condition match="'result.count' = 0">
      <set token="panel_failedLogons">0</set>
   </condition>
   <condition>
      <set token="panel_failedLogons">1</set>
   </condition>
</done>

 

 Maybe this will help somebody else.

View solution in original post

0 Karma

Coffeebean
Explorer

I should have thought about it five minutes longer. I solved it now.

You can use $result.count$ to access the internal field of the search.

 

<done>
   <condition match="'result.count' = 0">
      <set token="panel_failedLogons">0</set>
   </condition>
   <condition>
      <set token="panel_failedLogons">1</set>
   </condition>
</done>

 

 Maybe this will help somebody else.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...