Dashboards & Visualizations

Why is post process search in drill down not working?

kranthimutyala
Path Finder

I have 2 Dashboards and the second dashboard is a drill-down for the 1st one.
Everything is working as expected but in the second dashboard, the post-processing search is not working. I want to hide the rows if any of the panels in that row has 0 as output.I tried many ways but not working. I'm pasting the code for 2 dashboards here, please let me know what is missing. Thanks for the help

Dashboard: 1 has this drill down:

<drilldown>
<link target="_blank">/app/search/business_detailed?form.time_second_dashboard.earliest=$field1.earliest$&amp;form.time_second_dashboard.latest=$field1.latest$&amp;form.environment=$env$&amp;form.task=$click.value$</link>
</drilldown>
 
Dashboard 2 : Code

 

<form>
  <label>business_detailed</label>
  <fieldset submitButton="false">
    <input type="time" token="time_second_dashboard">
      <label>Select Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="environment">
      <label>Environment</label>
      <choice value="&quot;UAT&quot;">UAT</choice>
      <choice value="&quot;PROD&quot;">PROD</choice>
      <fieldForLabel>env</fieldForLabel>
      <fieldForValue>env</fieldForValue>
    </input>
    <input type="dropdown" token="task">
      <label>BOT Process</label>
    </input>
  </fieldset>
  <row  >
    <panel rejects= "$panel_show$"  >
      <single>
        <search>
          <query>| makeresults |eval bot="cp Main"|table bot</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
         
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel rejects= "$panel_show$" >
      <single>
        <title>Total Runs</title>
        <search>
          <query>index = "abc" env =$environment$   LogType = "*" TaskName = $task$-Main | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", ""))
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | rename  TaskName as "Task Name", host as "VDI" | stats count(eval(LogMessage = "FATAL: process ended errorneously")) as Failed_Count, count(eval(LogMessage = "END: cp-Main execution")) as Success_Count1  |eval tot_count= Failed_Count + Success_Count1|table tot_count</query>
       
       

          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
          
          <progress>
            <condition match="$job.resultCount$ == 0">
              <set token="panel_show">true</set>
            </condition>
            <condition>
               <unset token="panel_show"></unset>

            </condition>
          </progress>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="link.visible">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xdc4e41"]</option>
        <option name="rangeValues">[0,100000000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="refresh.link.visible">1</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel rejects="$panel_show$">
      <single>
        <title>Process completed Successfully</title>
        <search>
          <query>index = "abc" env = $environment$    LogType = "*" TaskName = $task$-Main LogMessage= "END: cp-Main execution" | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", "")) 
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | table Time, LogNo, host, LogType, LogMessage, TaskName
          | rename LogMessage as "Log Message", TaskName as "Task Name", host as "VDI" | sort - Time|stats count</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[1000000000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="link.visible">false</option>
        <option name="refresh.link.visible">true</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel rejects="$panel_show$">
      <single>
        <title>Process completed with Error</title>
        <search>
          <query>index = "abc" env = $environment$    LogType = "*" TaskName = $task$-Main "FATAL: process ended errorneously"| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", ""))
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | table Time, LogNo, host, LogType, LogMessage, TaskName
          | rename LogMessage as "Log Message", TaskName as "Task Name", host as "VDI" | sort - Time|stats count</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xdc4e41","0xdc4e41"]</option>
        <option name="rangeValues">[10000000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="link.visible">false</option>
        <option name="refresh.link.visible">true</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel rejects="$panel_show$">
      <single>
        <title>Success Percent</title>
        <search>
          <query>index = "abc" env = $environment$    LogType = "*" TaskName =$task$-Main | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", ""))
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | rename  TaskName as "Task Name", host as "VDI" | stats count(eval(LogMessage = "FATAL: process ended errorneously")) as Failed_Count,  ,count(eval(LogMessage = "END: cp-Main execution")) as Success_Count1 | eval tot_count= Failed_Count + Success_Count1   | eval succ_per=round((Success_Count1/tot_count)*100,0)|table succ_per</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x581845","0xdc4e41"]</option>
        <option name="rangeValues">[100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="link.visible">false</option>
        <option name="refresh.link.visible">true</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row depends="$panel_show1$">
    <panel>
      <single>
        <search>
          <query>| makeresults |eval bot="cp Adhoc"|table bot</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Total Runs</title>
        <search>
          <query>index = "abc" env =$environment$     LogType = "*" TaskName = $task$-Main-Adhoc | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", ""))
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | rename  TaskName as "Task Name", host as "VDI" | stats count(eval(LogMessage = "FATAL: process ended errorneously")) as Failed_Count, count(eval(LogMessage = "END: process execution")) as Success_Count1  |eval tot_count= Failed_Count + Success_Count1|table tot_count</query>
         
            
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
          
          <sampleRatio>1</sampleRatio>
          <progress>
            <condition match="'job.resultCount' > 0">
              <set token="panel_show1">true</set>
              <unset token="panel_hide1"></unset>
            </condition>
            <condition>
              <set token="panel_hide1">true</set>
              <unset token="panel_show1"></unset>
            </condition>
          </progress>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="link.visible">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xdc4e41"]</option>
        <option name="rangeValues">[0,100000000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="refresh.link.visible">1</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Process completed Successfully</title>
        <search>
          <query>index = "abc" env = $environment$    LogType = "*" TaskName = $task$-Main-Adhoc LogMessage= "END: process execution" | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", "")) 
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | table Time, LogNo, host, LogType, LogMessage, TaskName
          | rename LogMessage as "Log Message", TaskName as "Task Name", host as "VDI" | sort - Time|stats count</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[1000000000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="link.visible">false</option>
        <option name="refresh.link.visible">true</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Process completed with Error</title>
        <search>
          <query>index = "abc" env = $environment$    LogType = "*" TaskName = $task$-Main-Adhoc "FATAL: process ended errorneously"| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", ""))
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | table Time, LogNo, host, LogType, LogMessage, TaskName
          | rename LogMessage as "Log Message", TaskName as "Task Name", host as "VDI" | sort - Time|stats count</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xdc4e41","0xdc4e41"]</option>
        <option name="rangeValues">[10000000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="link.visible">false</option>
        <option name="refresh.link.visible">true</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Success Percent</title>
        <search>
          <query>index = "abc" env = $environment$    LogType = "*" TaskName =$task$-Main-Adhoc | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
          |eval LogDescription = trim(replace(LogDescription, "'", ""))
          |eval LogMessage = trim(replace(LogMessage, "'", ""))
          |eval TaskName = trim(replace(TaskName, "'", ""))
          |eval host=substr(host,12,4)
          | rename  TaskName as "Task Name", host as "VDI" | stats count(eval(LogMessage = "FATAL: process ended errorneously")) as Failed_Count,  ,count(eval(LogMessage = "END: process execution")) as Success_Count1 | eval tot_count= Failed_Count + Success_Count1   | eval succ_per=round((Success_Count1/tot_count)*100,0)|table succ_per</query>
          <earliest>$time_second_dashboard.earliest$</earliest>
          <latest>$time_second_dashboard.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x581845","0xdc4e41"]</option>
        <option name="rangeValues">[100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="link.visible">false</option>
        <option name="refresh.link.visible">true</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  </form>

 

In the second Dashboard I want to hide the entire row if any Total Runs panel has 0 as output . I tried but its not working. Is there anything messing up with the tokens from dashboard -1 

 I tried both depends and rejects but its not working 

<progress>
<condition match="$job.resultCount$ == 0">
<set token="panel_show">true</set>
</condition>
<condition>
<unset token="panel_show"></unset>

</condition>
</progress>
Labels (5)
0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @kranthimutyala 

you need unset token if result are zero  and single quotes aound job.resultCount and need to remove $

please use following updated code 

<progress>
<condition match=" 'job.resultCount' == 0">
<unset token="panel_show"></unset>
</condition>
<condition>
<set token="panel_show">true</set>

</condition>
</progress>

0 Karma

kranthimutyala
Path Finder

Hi @SanjayReddy I tried it but it's not working as expected; When I gave depends it is showing the panel even if the output is zero and similarly when I use rejects panel/row is hiding even if the panel has values.

 

But in depends case its not coming up while processing the results but panels are showing up once the search is completed 

Is it something related to drill down tokens ? that is breaking this functionality  OR  query should have Stats for sure to work on these post-processing search results 

 

<row depends="$panel_show5$">
<panel>
<single>
<search>
<query>| makeresults |eval bot="FARollforward Adhoc"|table bot</query>
<earliest>$time_second_dashboard.earliest$</earliest>
<latest>$time_second_dashboard.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
<panel>
<single>
<title>Total Runs</title>
<search>
<query>QUERY|table tot_count</query>


<earliest>$time_second_dashboard.earliest$</earliest>
<latest>$time_second_dashboard.latest$</latest>
<progress>
<condition match=" 'job.resultCount' == 0">
<unset token="panel_show5"></unset>
</condition>
<condition>
<set token="panel_show5">true</set>

</condition>
</progress>

</search>
<option name="colorMode">none</option>
<option name="drilldown">none</option>

</single>
</panel>
<panel>
<single>
<title>Process completed Successfully</title>
<search>
<query>QUERY |table tot_count</query>
<earliest>$time_second_dashboard.earliest$</earliest>
<latest>$time_second_dashboard.latest$</latest>
</search>
<option name="useColors">1</option>
</single>
</panel>
</row>

</form>

 

 

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...