hello ,
i am new to splunk and i have a bit of a problem with using the results from the query,
<condition match=" 'results.res' >0"> doesn't work so as the $job.resultCount$
if i try to use 'job.resultCount' or $job.resultCount$ it works but that not what i need
query :
<search id="parsing_queue">
thank you all
ronen
HI ronenp
try to use this :
<search id="parsing_queue">
<query>index=_internal source = "udp:514" sourcetype = "syslog" alert | stats count </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<progress>
<condition match="'job.resultCount' >0">
<set token="show_table">true</set>
</condition>
<condition>
<unset token="show_table"/>
</condition>
</progress>
</search>
Wat version of Splunk you are using ?
Could you paste the search you are running again, only this time format it with the Code Sample button? I think a lot of your search got eaten by the editor.
You can use the $job.resultCount$
inside the search tag or set a token based on this and use that later.
For reference : http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Search_event_elements_and_job_properti...