Splunk Search

Trouble with Hidden Panel Passing a Value

strehb18
Path Finder

Hello,

I am having trouble with a panel staying hidden when the search above shows no results. I would like to create a ticker of sorts that will display the result from a search. If something has happened in the last 48 hrs it will show, if not it will be hidden. I was told to try the below from a different source but it's not quite working to hide when there are no results. The search itself works, but the ticker is showing at all times.

<search>
<query>
          search that will return one result ( a string) or no results
</query>
<earliest>-48h</earliest>
<finalized>
<condition match=" 'job.resultCount' != 0">
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.ticker$</set>
</condition>
<condition match=" 'job.resultCount' = 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
</finalized>
</search>
<row>
<panel depends="$ticker$">
<html>
<style>
#marquee {
style: choices
}
</style>
<marquee scrollamount="19" id="marquee">ALERT - $ticker_result$</marquee>
</html>
</panel>
</row>

Labels (1)
Tags (2)
0 Karma
1 Solution

t_shreya
Path Finder

Hi @strehb18 


Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

 

View solution in original post

t_shreya
Path Finder

Hi @strehb18 


Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

 

View solution in original post

strehb18
Path Finder

I am once again having issues with this code. For some reason this works, and then will stop working. Here is the entire code if that helps. I am wondering where the disconnect maybe. I can make a table and pass the value and it shows. 

<search>
<query>
index=defmfg_safety work_center="MAIN*"
| sort 0 -_time
| dedup id
| head 3
| stats max(corrective_actions{}) as corrective_action by investigation_result
| eval corrective_action=if(corrective_action="30 day follow up" OR corrective_action="6 month follow up","PENDING",corrective_action)
| eval result=investigation_result +" -CORRECTIVE ACTION- "+ corrective_action
| eval ticker=result
| eval length=ceil(len(ticker)/2) . "ms"
</query>
<earliest>-48h@h</earliest>
<finalized>
<condition match="$job.resultCount$ == 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
<condition>
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.result$</set>
</condition>
</finalized>
</search>
<row depends="$ticker$">
<panel>
<html>
<style>
#marquee {
font-size: 30px;
color: white;
height: 45px;
white-space: nowrap;
line-height: 60px;
}
h2 {
font-size: 30px !important;
text-align: center;
padding: 5px !important;
color: red;

}
</style>
<h2>SAFETY ALERT</h2>
<marquee scrollamount="19" id="marquee">$ticker$</marquee>
</html>
</panel>
</row>

0 Karma

strehb18
Path Finder

Sorry for the delay. This seems to be working. Any chance you can explain why what I had didn't work and what you wrote did work? I'd like to learn but also maybe make it applicable in different scenarios. 

0 Karma

t_shreya
Path Finder

@strehb18 , I tried the condition you have written and it worked for me. Not sure why it is not working for you.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!