Why is my return token not working properly with s...

fausap · ‎09-25-2018

Hello all,

I have the following search:

    <search>
        <!-- ITA -->
        <query>index=mon1 data{}.testType!="https" data{}.id="95809" source="*LOAD*" | stats latest(data{}.status) as status | lookup mon-status status OUTPUT value as value_full | eval value_fyc=[ search data{}.id="167934" source="*FYC" | stats latest(data{}.status) as status | lookup mon-status status OUTPUT value | return $value ] | eval value=$value_full$ + $value_fyc$ | rangemap field=value low=0-400 severe=401-999 default=low</query>
        <finalized>
          <condition match="'job.resultCount' == 0">
            <set token="value1">0</set>
            <set token="range1">severe</set>
          </condition>
          <condition>
            <set token="value1">$result.value$</set>
            <set token="range1">$result.range$</set>
          </condition>
        </finalized>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>   
</search>

If I run the query in the search app, it runs fine and I have a table with all the values populated.

In my dashboard I use a CSS to display an icon based on range (i.e. if "severe" display a red cross):

<row>
    <panel>
      <html>
        <a>
          <h1>
            <center>SYS1</center>
          </h1>
        </a>
        <div class="custom-result-value icon-only $range1$"> </div>
      </html>
    </panel>
</row>

but this is not working anymore after I added the subsearch in my query.

I'm not sure the token contains the right value, is there a way to debug it ?

thanks,
Fausto

kamlesh_vaghela · ‎09-25-2018

@fausap

Can you please share sample events from index=mon1?

fausap · ‎09-28-2018

Hello Kamlesh,

sure. each event is a simple json string:

{"data":[{"isSuspended":0,"locationId":149,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:40:02 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain3","id":149,"locationShortName":"ES"}
{"data":[{"isSuspended":0,"locationId":149,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:41:22 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain3","id":149,"locationShortName":"ES"}
{"data":[{"isSuspended":0,"locationId":150,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:41:45 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain2","id":149,"locationShortName":"ES"}
{"data":[{"isSuspended":0,"locationId":150,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:44:02 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain2","id":149,"locationShortName":"ES"}

etc...

regards,
Fausto

Why is my return token not working properly with subsearches?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!