Thats my simple xml for the panel. Without the dynamic display code the panel would show events. Any mistakes?
<panel depends="$show2$">
<title>Intrusion Detection/Vulnerability/Malware Events</title>
<table>
<search>
<query>index=* sourcetype!="Vectra-CEF" sourcetype!="vectra:apt" "$ip$" OR "$URL$" AND tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations | table vendor* ,dvc*,ids_type*,tag,action*,category,signature,src*,dest,user*,severity*,_time,_raw</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<progress>
<condition match="'job.resultCount' > 0">
<set token="show2">true</set>
</condition>
<condition>
<unset token="show2"></unset>
</condition>
</progress>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel> ##
Got it using the sample provided in the Splunk Dashboard App. A base search is required!!!
Null Search Swapper
<panel>
<title>Search Logic Based on Result Count</title>
<input type="radio" token="index_switcher">
<label>Choose Index</label>
<choice value="index=_internal">index=_internal</choice>
<choice value="index=_null">index=_null</choice>
<initialValue>index=_null</initialValue>
</input>
<search id="search_logic">
<query>$index_switcher$ | top sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<!-- Progress event has access to job properties only -->
<progress>
<condition match="'job.resultCount' == 0">
<set token="show_html">foob</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
</progress>
</search>
<chart rejects="$show_html$">
<title>Top sourcetypes for index=_internal</title>
<search base="search_logic" />
<option name="charting.chart">bar</option>
<option name="charting.legend.placement">none</option>
</chart>
<html depends="$show_html$">
<p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
</html>
</panel>
##
Got it using the sample provided in the Splunk Dashboard App. A base search is required!!!
Null Search Swapper
<panel>
<title>Search Logic Based on Result Count</title>
<input type="radio" token="index_switcher">
<label>Choose Index</label>
<choice value="index=_internal">index=_internal</choice>
<choice value="index=_null">index=_null</choice>
<initialValue>index=_null</initialValue>
</input>
<search id="search_logic">
<query>$index_switcher$ | top sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<!-- Progress event has access to job properties only -->
<progress>
<condition match="'job.resultCount' == 0">
<set token="show_html">foob</set>
</condition>
<condition>
<unset token="show_html"/>
</condition>
</progress>
</search>
<chart rejects="$show_html$">
<title>Top sourcetypes for index=_internal</title>
<search base="search_logic" />
<option name="charting.chart">bar</option>
<option name="charting.legend.placement">none</option>
</chart>
<html depends="$show_html$">
<p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
</html>
</panel>
##
I was using similar code but it wouldn't take
<set token="show_html">True</set>
Changing the value to foob worked.
Try like this
<dashboard stylesheet="eval_tokens.css">
<label>Eval Tokens</label>
<row>
<panel depends="$show2$">
<chart>
<title>Top sourcetypes for index=_internal</title>
<search>
<query>index=_internal | top sourcetype</query>
<earliest>-2h</earliest>
<latest>now</latest>
<progress>
<eval token="show2">if(tonumber('job.resultCount')!=0,tonumber('job.resultCount'),null())</eval>
</progress>
</search>
<option name="charting.chart">bar</option>
</chart>
</panel>
</row>
</dashboard>