Splunk Search

Why is setting a token from result not working?

snoobzilla
Builder

Any ideas on why KER_RESULT would not be working? Tail end of base query...

Updated code...

 <search id="events">
    <query>$environment$ $bloomfilter$ `Errors` 
| eval KER_EDIT=KER
| search Client_Impact!="Normal_Dialog" $searchType$$searchField$
| table _time ErrorLogID KER
    </query>
    <earliest>$timerange.earliest$</earliest>
    <latest>$timerange.latest$</latest>
    <done>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
        </condition>
     </done>
     <finalized>
        <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
     </finalized>
 </search>

There is a single result and a KER value but the KER_RESULT token keeps coming back as $result.KER$ even though singleresult token is returning true.

Thanks

Tags (3)
1 Solution

snoobzilla
Builder

Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.

Finalized vs above...

    <finalized>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
     </finalized>

I thought I had tried this.

Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.

View solution in original post

snoobzilla
Builder

Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.

Finalized vs above...

    <finalized>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
     </finalized>

I thought I had tried this.

Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.

woodcock
Esteemed Legend

If you do not know whom to credit then go back to each answer and comment that assisted you and upvote (yes, you can upvote comments; go ahead and try on this one)!

niketn
Legend

Cheers everyone!!!

@snoobzilla ...You can mark your own previous comment as the answer!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis
SplunkTrust
SplunkTrust

interface note - if you add a line with <query> at the front of the code you posted, all the colors will straighten out so that only the literals are green.

0 Karma

snoobzilla
Builder

@niketnilay Updated with more of surrounding code. Tried your suggestions, no improvement.

0 Karma

niketn
Legend

Strange result.field token should be available in preview and finalized event for Splunk 6.4.1.
Can you please confirm if you are using query like the one below? It should either hit the first block or second block...

<preview>
     <condition match="'job.resultCount' == 0">
       <set token="runDuration">$job.runDuration$</set>
       <unset token="singleresult"></unset>
       <unset token="KER"></unset>
       <set token="test">NoResults</set>
     </condition>
     <condition>
       <set token="KER">$result.KER$</set>
       <set token="singleresult">true</set>
       <set token="runDuration">$job.runDuration$</set>
       <set token="test">ResultsFound</set>
     </condition>
  </preview>

I have also added test token... Can you print to confirm which block is being hit?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jkat54
SplunkTrust
SplunkTrust

You should post the whole dashboard code IMHO.

0 Karma

snoobzilla
Builder

@jkat54 a bit of a pain to sanitize from internal references... may resort to that eventually.

0 Karma

niketn
Legend

Which version of Splunk are you using?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

snoobzilla
Builder

Enterprise 6.4.1

0 Karma

niketn
Legend

Can you try couple of things?

1) Print a table with required fields in your base search | table _time ErrorLogID KER (also run independently to confirm that only one row exist and data is getting populated. You should not get No results found)
2) Changing match condition from$job.resultCount$==1 to $job.resultCount$!=0. This way there will just be two condition blocks i.e. eith results are returned or not returned.
3) I am not sure if the following will help but changing Search Event Handler from done to progress

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lquinn
Contributor

I just tried your code above and it worked perfectly for me ... Is there any other part of your dashboard that could be affecting this?

0 Karma

snoobzilla
Builder

I added more of surrounding code... it is a base search and there is a finalized event handler at the end but pulling that did not fix.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this <condition match=" 'job.resultCount' == 1"> instead of <condition match="$job.resultCount$ == 1">.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/tokens#Search_tokens_for_dynamic_display_examp...

snoobzilla
Builder

Thanks, no change. Updated with more of surrounding code.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...