Solved: XML disappearing after being edited using the UI. - Splunk Community

Dashboards & Visualizations

This is a test dashboard Im working on :

<dashboard>
  <label>Testing</label>
  <row>
    <panel depends="$hide_panel$">
      <event>
        <title>Test Panel</title>
        <search>
          <query>sourcetype=bluecoat:proxysg:access:syslog news | head 1</query>
          <earliest>rt</earliest>
          <latest>rt</latest>
          <progress>
            <condition match="'job.resultCount' == 0">
              <unset token="hide_panel"></unset>
            </condition>
            <condition>
              <set token="hide_panel">true</set>
            </condition>
          </progress>
        </search>
        <option name="table.sortDirection">asc</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="count">10</option>
      </event>
    </panel>
  </row>
</dashboard>

when I edit it using the UI, for example the time period, then save it, some of the code gets deleted and it ends up like this:

<dashboard>
           <label>Testing</label>
      <row>
        <panel depends="$hide_panel$">
          <event>
            <title>Test Panel</title>
            <search>
              <query>sourcetype=bluecoat:proxysg:access:syslog news | head 1</query>
              <earliest>rt-30s</earliest>
              <latest>rt</latest>
            </search>
            <option name="table.sortDirection">asc</option>
            <option name="list.drilldown">full</option>
            <option name="list.wrap">1</option>
            <option name="maxLines">5</option>
            <option name="raw.drilldown">full</option>
            <option name="rowNumbers">0</option>
            <option name="table.drilldown">all</option>
            <option name="table.wrap">1</option>
            <option name="type">list</option>
            <option name="count">10</option>
          </event>
        </panel>
      </row>
    </dashboard>

All the code for the panel hide/reveal has gone.
Anyone know why?
And also, I cant seem to get this to hide/reveal when using a 5 minute window either.

Thanks!

1 Solution

Solution

Are you on 6.5 or later version of Splunk? If not <progress> should be named as <preview>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Solution

Are you on 6.5 or later version of Splunk? If not <progress> should be named as <preview>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

@mrgibbon, maybe the token $job.resultCount$ is not available with Real-Time searches, as for me the token never sets even though there is an event returns. Although the Search Event Handlers did not disappear for me. I was able to set token with historical time selection not Real-Time. Following is a run-anywhere example which runs historical search for last 30 sec and refreshes every 30 sec.

PS: You should ideally make it last 1 minute i.e. greater than the refresh interval which is 30 sec.

  <row>
    <panel depends="$hide_panel$">
      <event>
        <title>Test Panel</title>
        <search id="mySearch">
          <query>index="_internal" sourcetype="splunkd" | head 1</query>
          <earliest>-30s</earliest>
          <latest>now</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="table.sortDirection">asc</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="count">10</option>
      </event>
    </panel>
  </row>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

@mrgibbon, following is an example of Real-Time search with Event field returned from search and condition to show/hide panel based on $result.Event$ instead of $job.resultCount$ . Please try with the following as well:

  <row>
    <panel depends="$hide_panel$">
      <event>
        <title>Test Panel</title>
        <search id="mySearch">
          <query>index="_internal" sourcetype="splunkd" "WARN"| head 1| table _raw| rename _raw as Event</query>
          <earliest>rt-30s</earliest>
          <latest>rtnow</latest>
          <progress>
            <condition match="isnull($result.Event$)">
              <unset token="hide_panel"></unset>
            </condition>
            <condition>
              <set token="hide_panel">true</set>
            </condition>
          </progress>
        </search>
        <option name="table.sortDirection">asc</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="count">10</option>
      </event>
    </panel>
  </row>

If these do not work your should tag this issue as BUG and also reach out to Splunk Support for assistance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Thanks for the help and the code, it works, but the panel is on the screen all the time.
Cheers

@mrgibbon, I had missed <condition match="isnull($result.Event$)"> section in my code. Also I have provided a run anywhere search where INFO node is always present in splunkd logs. I have changed it to WARN which occurs less often in Splunk. Please try out above code and test with your own search.

Also if issue with Real-Time searches removing Search handler continue please update here and raise to Splunk Support.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Do you see the same issues if you change <dashboard> and </dashboard> to <form> and </form>?

Also, what version of Splunk are you using and what browser?

Same thing happens when using preview as well.

Yes, the same thing happens when using form.
Im using Splunk 6.5.1612 in Splunk Cloud

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...