Splunk Search

Trouble with Hidden Panel Passing a Value

strehb18
Path Finder

Hello,

I am having trouble with a panel staying hidden when the search above shows no results. I would like to create a ticker of sorts that will display the result from a search. If something has happened in the last 48 hrs it will show, if not it will be hidden. I was told to try the below from a different source but it's not quite working to hide when there are no results. The search itself works, but the ticker is showing at all times.

<search>
<query>
          search that will return one result ( a string) or no results
</query>
<earliest>-48h</earliest>
<finalized>
<condition match=" 'job.resultCount' != 0">
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.ticker$</set>
</condition>
<condition match=" 'job.resultCount' = 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
</finalized>
</search>
<row>
<panel depends="$ticker$">
<html>
<style>
#marquee {
style: choices
}
</style>
<marquee scrollamount="19" id="marquee">ALERT - $ticker_result$</marquee>
</html>
</panel>
</row>

Labels (1)
Tags (2)
0 Karma
1 Solution

t_shreya
Path Finder

Hi @strehb18 


Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

 

View solution in original post

t_shreya
Path Finder

Hi @strehb18 


Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

 

strehb18
Path Finder

I am once again having issues with this code. For some reason this works, and then will stop working. Here is the entire code if that helps. I am wondering where the disconnect maybe. I can make a table and pass the value and it shows. 

<search>
<query>
index=defmfg_safety work_center="MAIN*"
| sort 0 -_time
| dedup id
| head 3
| stats max(corrective_actions{}) as corrective_action by investigation_result
| eval corrective_action=if(corrective_action="30 day follow up" OR corrective_action="6 month follow up","PENDING",corrective_action)
| eval result=investigation_result +" -CORRECTIVE ACTION- "+ corrective_action
| eval ticker=result
| eval length=ceil(len(ticker)/2) . "ms"
</query>
<earliest>-48h@h</earliest>
<finalized>
<condition match="$job.resultCount$ == 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
<condition>
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.result$</set>
</condition>
</finalized>
</search>
<row depends="$ticker$">
<panel>
<html>
<style>
#marquee {
font-size: 30px;
color: white;
height: 45px;
white-space: nowrap;
line-height: 60px;
}
h2 {
font-size: 30px !important;
text-align: center;
padding: 5px !important;
color: red;

}
</style>
<h2>SAFETY ALERT</h2>
<marquee scrollamount="19" id="marquee">$ticker$</marquee>
</html>
</panel>
</row>

0 Karma

strehb18
Path Finder

Sorry for the delay. This seems to be working. Any chance you can explain why what I had didn't work and what you wrote did work? I'd like to learn but also maybe make it applicable in different scenarios. 

0 Karma

t_shreya
Path Finder

@strehb18 , I tried the condition you have written and it worked for me. Not sure why it is not working for you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...