Why is my return token not working properly with s...

fausap · ‎09-25-2018

Hello all,

I have the following search:

    <search>
        <!-- ITA -->
        <query>index=mon1 data{}.testType!="https" data{}.id="95809" source="*LOAD*" | stats latest(data{}.status) as status | lookup mon-status status OUTPUT value as value_full | eval value_fyc=[ search data{}.id="167934" source="*FYC" | stats latest(data{}.status) as status | lookup mon-status status OUTPUT value | return $value ] | eval value=$value_full$ + $value_fyc$ | rangemap field=value low=0-400 severe=401-999 default=low</query>
        <finalized>
          <condition match="'job.resultCount' == 0">
            <set token="value1">0</set>
            <set token="range1">severe</set>
          </condition>
          <condition>
            <set token="value1">$result.value$</set>
            <set token="range1">$result.range$</set>
          </condition>
        </finalized>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>   
</search>

If I run the query in the search app, it runs fine and I have a table with all the values populated.

In my dashboard I use a CSS to display an icon based on range (i.e. if "severe" display a red cross):

<row>
    <panel>
      <html>
        <a>
          <h1>
            <center>SYS1</center>
          </h1>
        </a>
        <div class="custom-result-value icon-only $range1$"> </div>
      </html>
    </panel>
</row>

but this is not working anymore after I added the subsearch in my query.

I'm not sure the token contains the right value, is there a way to debug it ?

thanks,
Fausto

kamlesh_vaghela · ‎09-25-2018

@fausap

Can you please share sample events from index=mon1?

fausap · ‎09-28-2018

Hello Kamlesh,

sure. each event is a simple json string:

{"data":[{"isSuspended":0,"locationId":149,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:40:02 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain3","id":149,"locationShortName":"ES"}
{"data":[{"isSuspended":0,"locationId":149,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:41:22 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain3","id":149,"locationShortName":"ES"}
{"data":[{"isSuspended":0,"locationId":150,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:41:45 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain2","id":149,"locationShortName":"ES"}
{"data":[{"isSuspended":0,"locationId":150,"name":"b-test01","testType":"","groups":["M-Web"],"id":111366,"tag":"MWeb","time":"28 Sep 2018 10:44:02 GMT","perf":8.829,"status":"OK","frequency":null}],"name":"Spain2","id":149,"locationShortName":"ES"}

etc...

regards,
Fausto

Why is my return token not working properly with subsearches?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation