useage of query result

ronenp · ‎01-24-2016

hello ,
i am new to splunk and i have a bit of a problem with using the results from the query,

<condition match=" 'results.res' >0"> doesn't work so as the $job.resultCount$

if i try to use 'job.resultCount' or $job.resultCount$ it works but that not what i need

query :
<search id="parsing_queue">
index=_internal source = "udp:514" sourcetype = "syslog" alert | stats count as res
-24h@h
now

$job.resultCount$

no val

thank you all

ronen

chimell · ‎01-25-2016

HI ronenp
try to use this :

<search id="parsing_queue">
      <query>index=_internal source = "udp:514" sourcetype = "syslog" alert | stats count </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <progress>
           <condition match="'job.resultCount' >0">
               <set token="show_table">true</set>
           </condition>
           <condition>
               <unset token="show_table"/>
           </condition>
       </progress>
   </search>

vasanthmss · ‎01-25-2016

Wat version of Splunk you are using ?

V

Richfez · ‎01-24-2016

Could you paste the search you are running again, only this time format it with the Code Sample button? I think a lot of your search got eaten by the editor.

renjith_nair · ‎01-24-2016

You can use the $job.resultCount$ inside the search tag or set a token based on this and use that later.

For reference : http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Search_event_elements_and_job_properti...

---
What goes around comes around. If it helps, hit it with Karma 🙂

useage of query result

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

useage of query result

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...