Solved: Re: Trouble with Hidden Panel Passing a Value

strehb18 · ‎10-29-2020

Hello,

I am having trouble with a panel staying hidden when the search above shows no results. I would like to create a ticker of sorts that will display the result from a search. If something has happened in the last 48 hrs it will show, if not it will be hidden. I was told to try the below from a different source but it's not quite working to hide when there are no results. The search itself works, but the ticker is showing at all times.

<search>
<query>
search that will return one result ( a string) or no results
</query>
<earliest>-48h</earliest>
<finalized>
<condition match=" 'job.resultCount' != 0">
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.ticker$</set>
</condition>
<condition match=" 'job.resultCount' = 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
</finalized>
</search>
<row>
<panel depends="$ticker$">
<html>
<style>
#marquee {
style: choices
}
</style>
<marquee scrollamount="19" id="marquee">ALERT - $ticker_result$</marquee>
</html>
</panel>
</row>

t_shreya · ‎10-30-2020

Hi @strehb18

Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

View solution in original post

t_shreya · ‎10-30-2020

Hi @strehb18

Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

strehb18 · ‎02-01-2021

I am once again having issues with this code. For some reason this works, and then will stop working. Here is the entire code if that helps. I am wondering where the disconnect maybe. I can make a table and pass the value and it shows.

<search>
<query>
index=defmfg_safety work_center="MAIN*"
| sort 0 -_time
| dedup id
| head 3
| stats max(corrective_actions{}) as corrective_action by investigation_result
| eval corrective_action=if(corrective_action="30 day follow up" OR corrective_action="6 month follow up","PENDING",corrective_action)
| eval result=investigation_result +" -CORRECTIVE ACTION- "+ corrective_action
| eval ticker=result
| eval length=ceil(len(ticker)/2) . "ms"
</query>
<earliest>-48h@h</earliest>
<finalized>
<condition match="$job.resultCount$ == 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
<condition>
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.result$</set>
</condition>
</finalized>
</search>
<row depends="$ticker$">
<panel>
<html>
<style>
#marquee {
font-size: 30px;
color: white;
height: 45px;
white-space: nowrap;
line-height: 60px;
}
h2 {
font-size: 30px !important;
text-align: center;
padding: 5px !important;
color: red;

}
</style>
<h2>SAFETY ALERT</h2>
<marquee scrollamount="19" id="marquee">$ticker$</marquee>
</html>
</panel>
</row>

strehb18 · ‎11-10-2020

Sorry for the delay. This seems to be working. Any chance you can explain why what I had didn't work and what you wrote did work? I'd like to learn but also maybe make it applicable in different scenarios.

t_shreya · ‎11-10-2020

@strehb18 , I tried the condition you have written and it worked for me. Not sure why it is not working for you.

Trouble with Hidden Panel Passing a Value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation