Any ideas on why KER_RESULT would not be working? Tail end of base query...
Updated code...
<search id="events">
<query>$environment$ $bloomfilter$ `Errors`
| eval KER_EDIT=KER
| search Client_Impact!="Normal_Dialog" $searchType$$searchField$
| table _time ErrorLogID KER
</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<done>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
</condition>
</done>
<finalized>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</finalized>
</search>
There is a single result and a KER value but the KER_RESULT token keeps coming back as $result.KER$ even though singleresult token is returning true.
Thanks
Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.
Finalized vs above...
<finalized>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
</finalized>
I thought I had tried this.
Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.
Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.
Finalized vs above...
<finalized>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
</finalized>
I thought I had tried this.
Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.
If you do not know whom to credit then go back to each answer and comment that assisted you and upvote (yes, you can upvote comments; go ahead and try on this one)!
Cheers everyone!!!
@snoobzilla ...You can mark your own previous comment as the answer!
interface note - if you add a line with <query>
at the front of the code you posted, all the colors will straighten out so that only the literals are green.
@niketnilay Updated with more of surrounding code. Tried your suggestions, no improvement.
Strange result.field token should be available in preview and finalized event for Splunk 6.4.1.
Can you please confirm if you are using query like the one below? It should either hit the first block or second block...
<preview>
<condition match="'job.resultCount' == 0">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
<set token="test">NoResults</set>
</condition>
<condition>
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
<set token="test">ResultsFound</set>
</condition>
</preview>
I have also added test token... Can you print to confirm which block is being hit?
You should post the whole dashboard code IMHO.
@jkat54 a bit of a pain to sanitize from internal references... may resort to that eventually.
Which version of Splunk are you using?
Enterprise 6.4.1
Can you try couple of things?
1) Print a table with required fields in your base search | table _time ErrorLogID KER
(also run independently to confirm that only one row exist and data is getting populated. You should not get No results found)
2) Changing match condition from$job.resultCount$==1
to $job.resultCount$!=0
. This way there will just be two condition blocks i.e. eith results are returned or not returned.
3) I am not sure if the following will help but changing Search Event Handler from done to progress
I just tried your code above and it worked perfectly for me ... Is there any other part of your dashboard that could be affecting this?
I added more of surrounding code... it is a base search and there is a finalized event handler at the end but pulling that did not fix.
Try this <condition match=" 'job.resultCount' == 1">
instead of <condition match="$job.resultCount$ == 1">
.
Thanks, no change. Updated with more of surrounding code.