Splunk Search

Trouble with Hidden Panel Passing a Value

strehb18
Path Finder

Hello,

I am having trouble with a panel staying hidden when the search above shows no results. I would like to create a ticker of sorts that will display the result from a search. If something has happened in the last 48 hrs it will show, if not it will be hidden. I was told to try the below from a different source but it's not quite working to hide when there are no results. The search itself works, but the ticker is showing at all times.

<search>
<query>
          search that will return one result ( a string) or no results
</query>
<earliest>-48h</earliest>
<finalized>
<condition match=" 'job.resultCount' != 0">
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.ticker$</set>
</condition>
<condition match=" 'job.resultCount' = 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
</finalized>
</search>
<row>
<panel depends="$ticker$">
<html>
<style>
#marquee {
style: choices
}
</style>
<marquee scrollamount="19" id="marquee">ALERT - $ticker_result$</marquee>
</html>
</panel>
</row>

Labels (1)
Tags (2)
0 Karma
1 Solution

t_shreya
Path Finder

Hi @strehb18 


Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

 

View solution in original post

t_shreya
Path Finder

Hi @strehb18 


Can you try this?

<condition match="$job.resultCount$==0">
  <unset token="ticker"></unset> 
  <unset token="ticker_result"></unset>
</condition>
<condition>
  <set token="ticker">$result.ticker$</set>
  <set token="ticker_result">$result.ticker$</set>
</condition>

 

strehb18
Path Finder

I am once again having issues with this code. For some reason this works, and then will stop working. Here is the entire code if that helps. I am wondering where the disconnect maybe. I can make a table and pass the value and it shows. 

<search>
<query>
index=defmfg_safety work_center="MAIN*"
| sort 0 -_time
| dedup id
| head 3
| stats max(corrective_actions{}) as corrective_action by investigation_result
| eval corrective_action=if(corrective_action="30 day follow up" OR corrective_action="6 month follow up","PENDING",corrective_action)
| eval result=investigation_result +" -CORRECTIVE ACTION- "+ corrective_action
| eval ticker=result
| eval length=ceil(len(ticker)/2) . "ms"
</query>
<earliest>-48h@h</earliest>
<finalized>
<condition match="$job.resultCount$ == 0">
<unset token="ticker"></unset>
<unset token="ticker_result"></unset>
</condition>
<condition>
<set token="ticker">$result.ticker$</set>
<set token="ticker_result">$result.result$</set>
</condition>
</finalized>
</search>
<row depends="$ticker$">
<panel>
<html>
<style>
#marquee {
font-size: 30px;
color: white;
height: 45px;
white-space: nowrap;
line-height: 60px;
}
h2 {
font-size: 30px !important;
text-align: center;
padding: 5px !important;
color: red;

}
</style>
<h2>SAFETY ALERT</h2>
<marquee scrollamount="19" id="marquee">$ticker$</marquee>
</html>
</panel>
</row>

0 Karma

strehb18
Path Finder

Sorry for the delay. This seems to be working. Any chance you can explain why what I had didn't work and what you wrote did work? I'd like to learn but also maybe make it applicable in different scenarios. 

0 Karma

t_shreya
Path Finder

@strehb18 , I tried the condition you have written and it worked for me. Not sure why it is not working for you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...