Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the dynamic display not work with my panel!?

alex1895
Path Finder
‎02-17-2016 05:07 PM

Thats my simple xml for the panel. Without the dynamic display code the panel would show events. Any mistakes?

      <panel depends="$show2$">
  <title>Intrusion Detection/Vulnerability/Malware Events</title>
  <table>
    <search>
      <query>index=* sourcetype!="Vectra-CEF" sourcetype!="vectra:apt" "$ip$" OR "$URL$" AND tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations | table vendor* ,dvc*,ids_type*,tag,action*,category,signature,src*,dest,user*,severity*,_time,_raw</query>
      <earliest>$time1.earliest$</earliest>
      <latest>$time1.latest$</latest>
    </search>
    <progress>
      <condition match="'job.resultCount' > 0">
        <set token="show2">true</set>
      </condition>
      <condition>
        <unset token="show2"></unset>
      </condition>
    </progress>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel> ##
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alex1895
Path Finder
‎02-17-2016 10:17 PM

Got it using the sample provided in the Splunk Dashboard App. A base search is required!!!

Null Search Swapper

<panel>
  <title>Search Logic Based on Result Count</title>

  <input type="radio" token="index_switcher">
     <label>Choose Index</label>
     <choice value="index=_internal">index=_internal</choice>
     <choice value="index=_null">index=_null</choice>
     <initialValue>index=_null</initialValue>
  </input>

    <search id="search_logic">
      <query>$index_switcher$ |  top sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>

      <!-- Progress event has access to job properties only -->
      <progress>
        <condition match="'job.resultCount' == 0">
          <set token="show_html">foob</set>
        </condition>
        <condition>
          <unset token="show_html"/>
        </condition>
      </progress>

    </search>

  <chart rejects="$show_html$">
    <title>Top sourcetypes for index=_internal</title>
    <search base="search_logic" />
    <option name="charting.chart">bar</option>
    <option name="charting.legend.placement">none</option>
  </chart>

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
</panel>

##

View solution in original post

Reply
Solved! Jump to solution
Solution

alex1895
Path Finder
‎02-17-2016 10:17 PM

Got it using the sample provided in the Splunk Dashboard App. A base search is required!!!

Null Search Swapper

<panel>
  <title>Search Logic Based on Result Count</title>

  <input type="radio" token="index_switcher">
     <label>Choose Index</label>
     <choice value="index=_internal">index=_internal</choice>
     <choice value="index=_null">index=_null</choice>
     <initialValue>index=_null</initialValue>
  </input>

    <search id="search_logic">
      <query>$index_switcher$ |  top sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>

      <!-- Progress event has access to job properties only -->
      <progress>
        <condition match="'job.resultCount' == 0">
          <set token="show_html">foob</set>
        </condition>
        <condition>
          <unset token="show_html"/>
        </condition>
      </progress>

    </search>

  <chart rejects="$show_html$">
    <title>Top sourcetypes for index=_internal</title>
    <search base="search_logic" />
    <option name="charting.chart">bar</option>
    <option name="charting.legend.placement">none</option>
  </chart>

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
</panel>

##

Reply
Solved! Jump to solution

Nextbeat
Path Finder
‎11-29-2017 04:59 AM

I was using similar code but it wouldn't take 

<set token="show_html">True</set>

Changing the value to foob worked.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-17-2016 07:32 PM

Try like this

<dashboard stylesheet="eval_tokens.css">
  <label>Eval Tokens</label>
  <row>
    <panel depends="$show2$">
      <chart>
        <title>Top sourcetypes for index=_internal</title>
        <search>
          <query>index=_internal |  top sourcetype</query>
          <earliest>-2h</earliest>
          <latest>now</latest>
          <progress>
            <eval token="show2">if(tonumber('job.resultCount')!=0,tonumber('job.resultCount'),null())</eval>
          </progress>
        </search>
        <option name="charting.chart">bar</option>
      </chart>
     </panel>
  </row>
</dashboard>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...