Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why is a token value not being updated properly fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a query in an XML dashboard in Splunk 6.5 which depends on a textbox input token. I've set the options so that when the input is updated, it should run the search again with the new token value. However, I am noticing that the first time I change the textbox value, the search does not run. Even stranger, when I change up the value again, it runs with the previous input value. The conditions seem to be set correctly, but it looks to me like it is running the search, and then applying the token change condition, which makes absolutely no sense. I've tried unsetting the tokens first, but that also doesn't work.
Here is my code:
<form>
<init>
<set token="date_value3">=*</set>
</init>
...
<input type="text" token="date_value2" searchWhenChanged="true">
<label>End Date (yyyy-MM-dd)</label>
<default>*</default>
<initialValue>*</initialValue>
<change>
<condition match="'date_value2' != "*"">
<unset token="date_value3"></unset>
<set token="date_value3"><=$date_value2$</set>
</condition>
<condition match="'date_value2' == "*"">
<unset token="date_value3"></unset>
<set token="date_value3">=*</set>
</condition>
</change>
</input>
...
<search>
<query>index=logminer_alerts date$date_value3$</query>
<earliest>0</earliest>
<latest></latest>
</search>
So for example, when I first open the dashboard page it will run properly with date_value3 set to "=*", as specified in the init tags.
However, say I put in "2016-03-30" into the textbox input and press enter, nothing happens.
Try again and put "2016-03-31" into the textbox, suddenly it runs, but with "2016-03-30" as the token value for date_value3. This continues for every new value, it always runs with the previous textbox value.
Does anyone have any idea why this is happening? This seems like a rather big bug if the search manager runs before the new token values are applied...
I should add that the reason I am trying to do this is because date<=* returns no search results, (even though date>=* works just fine). Therefore, I have to change the token to just date=* if the user puts in an asterisk. If there is a way to make date<=* work in a query and return all events, I am definitely open to suggestions.
Any help is appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I wasn't able to figure out why the tokens weren't being updated properly, but I did solve my main issue of date<=* not returning any results in the query.
I just updated my query string to <query>index=logminer_alerts (date>=$date_value$ AND (date<=$date_value2$ OR date=$date_value2$)) </query> and that fixed my problem. No need for the complicated token changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I wasn't able to figure out why the tokens weren't being updated properly, but I did solve my main issue of date<=* not returning any results in the query.
I just updated my query string to <query>index=logminer_alerts (date>=$date_value$ AND (date<=$date_value2$ OR date=$date_value2$)) </query> and that fixed my problem. No need for the complicated token changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a similar problem. The value that I am setting using the init is not getting set to the search.
Introduction to Splunk AI
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Maximizing the Value of Splunk ES 8.x
