Splunk Search

Why is setting a token from result not working?

snoobzilla
Builder

Any ideas on why KER_RESULT would not be working? Tail end of base query...

Updated code...

 <search id="events">
    <query>$environment$ $bloomfilter$ `Errors` 
| eval KER_EDIT=KER
| search Client_Impact!="Normal_Dialog" $searchType$$searchField$
| table _time ErrorLogID KER
    </query>
    <earliest>$timerange.earliest$</earliest>
    <latest>$timerange.latest$</latest>
    <done>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
        </condition>
     </done>
     <finalized>
        <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
     </finalized>
 </search>

There is a single result and a KER value but the KER_RESULT token keeps coming back as $result.KER$ even though singleresult token is returning true.

Thanks

Tags (3)
1 Solution

snoobzilla
Builder

Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.

Finalized vs above...

    <finalized>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
     </finalized>

I thought I had tried this.

Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.

View solution in original post

snoobzilla
Builder

Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.

Finalized vs above...

    <finalized>
        <condition match="'job.resultCount' == 1">
          <set token="KER">$result.KER$</set>
          <set token="singleresult">true</set>
          <set token="runDuration">$job.runDuration$</set>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
        <condition match="'job.resultCount' != 1">
          <set token="runDuration">$job.runDuration$</set>
          <unset token="singleresult"></unset>
          <unset token="KER"></unset>
          <eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
        </condition>
     </finalized>

I thought I had tried this.

Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.

woodcock
Esteemed Legend

If you do not know whom to credit then go back to each answer and comment that assisted you and upvote (yes, you can upvote comments; go ahead and try on this one)!

niketn
Legend

Cheers everyone!!!

@snoobzilla ...You can mark your own previous comment as the answer!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis
SplunkTrust
SplunkTrust

interface note - if you add a line with <query> at the front of the code you posted, all the colors will straighten out so that only the literals are green.

0 Karma

snoobzilla
Builder

@niketnilay Updated with more of surrounding code. Tried your suggestions, no improvement.

0 Karma

niketn
Legend

Strange result.field token should be available in preview and finalized event for Splunk 6.4.1.
Can you please confirm if you are using query like the one below? It should either hit the first block or second block...

<preview>
     <condition match="'job.resultCount' == 0">
       <set token="runDuration">$job.runDuration$</set>
       <unset token="singleresult"></unset>
       <unset token="KER"></unset>
       <set token="test">NoResults</set>
     </condition>
     <condition>
       <set token="KER">$result.KER$</set>
       <set token="singleresult">true</set>
       <set token="runDuration">$job.runDuration$</set>
       <set token="test">ResultsFound</set>
     </condition>
  </preview>

I have also added test token... Can you print to confirm which block is being hit?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jkat54
SplunkTrust
SplunkTrust

You should post the whole dashboard code IMHO.

0 Karma

snoobzilla
Builder

@jkat54 a bit of a pain to sanitize from internal references... may resort to that eventually.

0 Karma

niketn
Legend

Which version of Splunk are you using?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

snoobzilla
Builder

Enterprise 6.4.1

0 Karma

niketn
Legend

Can you try couple of things?

1) Print a table with required fields in your base search | table _time ErrorLogID KER (also run independently to confirm that only one row exist and data is getting populated. You should not get No results found)
2) Changing match condition from$job.resultCount$==1 to $job.resultCount$!=0. This way there will just be two condition blocks i.e. eith results are returned or not returned.
3) I am not sure if the following will help but changing Search Event Handler from done to progress

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lquinn
Contributor

I just tried your code above and it worked perfectly for me ... Is there any other part of your dashboard that could be affecting this?

0 Karma

snoobzilla
Builder

I added more of surrounding code... it is a base search and there is a finalized event handler at the end but pulling that did not fix.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this <condition match=" 'job.resultCount' == 1"> instead of <condition match="$job.resultCount$ == 1">.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/tokens#Search_tokens_for_dynamic_display_examp...

snoobzilla
Builder

Thanks, no change. Updated with more of surrounding code.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...