Dashboards & Visualizations

Why does the dynamic display not work with my panel!?

Path Finder

Thats my simple xml for the panel. Without the dynamic display code the panel would show events. Any mistakes?

      <panel depends="$show2$">
  <title>Intrusion Detection/Vulnerability/Malware Events</title>
  <table>
    <search>
      <query>index=* sourcetype!="Vectra-CEF" sourcetype!="vectra:apt" "$ip$" OR "$URL$" AND tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations | table vendor* ,dvc*,ids_type*,tag,action*,category,signature,src*,dest,user*,severity*,_time,_raw</query>
      <earliest>$time1.earliest$</earliest>
      <latest>$time1.latest$</latest>
    </search>
    <progress>
      <condition match="'job.resultCount' > 0">
        <set token="show2">true</set>
      </condition>
      <condition>
        <unset token="show2"></unset>
      </condition>
    </progress>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel> ##
0 Karma
1 Solution

Path Finder

Got it using the sample provided in the Splunk Dashboard App. A base search is required!!!

Null Search Swapper

<panel>
  <title>Search Logic Based on Result Count</title>

  <input type="radio" token="index_switcher">
     <label>Choose Index</label>
     <choice value="index=_internal">index=_internal</choice>
     <choice value="index=_null">index=_null</choice>
     <initialValue>index=_null</initialValue>
  </input>

    <search id="search_logic">
      <query>$index_switcher$ |  top sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>

      <!-- Progress event has access to job properties only -->
      <progress>
        <condition match="'job.resultCount' == 0">
          <set token="show_html">foob</set>
        </condition>
        <condition>
          <unset token="show_html"/>
        </condition>
      </progress>

    </search>

  <chart rejects="$show_html$">
    <title>Top sourcetypes for index=_internal</title>
    <search base="search_logic" />
    <option name="charting.chart">bar</option>
    <option name="charting.legend.placement">none</option>
  </chart>

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
</panel>

##

View solution in original post

Path Finder

Got it using the sample provided in the Splunk Dashboard App. A base search is required!!!

Null Search Swapper

<panel>
  <title>Search Logic Based on Result Count</title>

  <input type="radio" token="index_switcher">
     <label>Choose Index</label>
     <choice value="index=_internal">index=_internal</choice>
     <choice value="index=_null">index=_null</choice>
     <initialValue>index=_null</initialValue>
  </input>

    <search id="search_logic">
      <query>$index_switcher$ |  top sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>

      <!-- Progress event has access to job properties only -->
      <progress>
        <condition match="'job.resultCount' == 0">
          <set token="show_html">foob</set>
        </condition>
        <condition>
          <unset token="show_html"/>
        </condition>
      </progress>

    </search>

  <chart rejects="$show_html$">
    <title>Top sourcetypes for index=_internal</title>
    <search base="search_logic" />
    <option name="charting.chart">bar</option>
    <option name="charting.legend.placement">none</option>
  </chart>

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
</panel>

##

View solution in original post

Path Finder

I was using similar code but it wouldn't take

<set token="show_html">True</set>

Changing the value to foob worked.

0 Karma

SplunkTrust
SplunkTrust

Try like this

<dashboard stylesheet="eval_tokens.css">
  <label>Eval Tokens</label>
  <row>
    <panel depends="$show2$">
      <chart>
        <title>Top sourcetypes for index=_internal</title>
        <search>
          <query>index=_internal |  top sourcetype</query>
          <earliest>-2h</earliest>
          <latest>now</latest>
          <progress>
            <eval token="show2">if(tonumber('job.resultCount')!=0,tonumber('job.resultCount'),null())</eval>
          </progress>
        </search>
        <option name="charting.chart">bar</option>
      </chart>
     </panel>
  </row>
</dashboard>
0 Karma