I have the following XML code:
<input type="dropdown" token="team" searchWhenChanged="true">
<search>
<query>.....</query>
</search>
<change>
<unset token="some_token"></unset>
</change>
<input>
Even when I don't change the value of the input the change (the unset of some_token) occurs continuously until the search of the query is completely finished. The search itself can take a long time since it spans over a period of some weeks.
I'm trying to add a condition that would trigger the change (the unset of some_token) only at the moment the search process of the query began, without having to wait for the whole process to finish.
I tried condition match="_time=earliest" but that didn't work.
Please help me.
Thanks,
Sam
From the description provided you should be coding the event handler of search rather than change event handler of dropdown.
<search>
<query>.....</query>
<progress>
<condition match="$job.resultCount==0$">
<!-- What do you want to do if search returns no result? It should go here-->
</condition>
<condition>
<unset token="some_token"></unset>
</condition>
</progress>
</search>
From the description provided you should be coding the event handler of search rather than change event handler of dropdown.
<search>
<query>.....</query>
<progress>
<condition match="$job.resultCount==0$">
<!-- What do you want to do if search returns no result? It should go here-->
</condition>
<condition>
<unset token="some_token"></unset>
</condition>
</progress>
</search>
Is job.resultCount a default field in Splunk or do I have to replace it with fields of my own?
Can I leave the content of the first condition empty?
$job.resultCount$ is default token available for Search Job. So you can use as it is. You can leave content of first Condition empty however, you can also keep just noe condition if you dont need to perform anything for no results:
<condition match="$job.resultCount!=0$">
<unset token="some_token"></unset>
</condition>
OR
<condition match="$job.resultCount>0$">
<unset token="some_token"></unset>
</condition>
@vshakur, please accept the answer to mark this question as answered. If you require further assistance, do let us know.
I just have one more question:
Does $job.resultCount$ changes at real time as search process continues or is its value obtained at the end of the search?
@vshakur, that actually depends upon which search event handler you are using. If you use <progress>
, it will update as the search run. If you just want to display the final value after the search completes you can use <done>
instead.
Read about Search Event Handlers in the Splunk Documentation to understand this concept along with examples.
@vshakur, you might have to add more details on what are you trying to achieve.
Do you need to pick just the $time_picker.latest$ token?
What do you imply by "I would like the unset of some_token to occur only for the fist timestamp of the search"
Can you provide example with data?
I edited my question.
I just want the change to occur at the moment I choose a different value in the dropdown input. Right now the change occurs long after I picked a different value in the dropdown input because it takes a long time for the search process to finish, the searching process itself triggers the change.