Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to condition a token unset based on time stamps

vshakur
Path Finder
‎08-16-2017 10:56 PM

I have the following XML code:

 <input type="dropdown" token="team" searchWhenChanged="true">
    <search>
      <query>.....</query>
    </search>
    <change>
      <unset token="some_token"></unset>
    </change>
 <input>

Even when I don't change the value of the input the change (the unset of some_token) occurs continuously until the search of the query is completely finished. The search itself can take a long time since it spans over a period of some weeks.

I'm trying to add a condition that would trigger the change (the unset of some_token) only at the moment the search process of the query began, without having to wait for the whole process to finish.

I tried condition match="_time=earliest" but that didn't work.

Please help me.

Thanks,
Sam

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2017 11:28 PM

From the description provided you should be coding the event handler of search rather than change event handler of dropdown.

 <search>
   <query>.....</query>
   <progress>
      <condition match="$job.resultCount==0$">
             <!-- What do you want to do if search returns no result? It should go here-->
      </condition>
      <condition>
          <unset token="some_token"></unset>
      </condition>
   </progress>
 </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2017 11:28 PM

From the description provided you should be coding the event handler of search rather than change event handler of dropdown.

 <search>
   <query>.....</query>
   <progress>
      <condition match="$job.resultCount==0$">
             <!-- What do you want to do if search returns no result? It should go here-->
      </condition>
      <condition>
          <unset token="some_token"></unset>
      </condition>
   </progress>
 </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-16-2017 11:36 PM

Is job.resultCount a default field in Splunk or do I have to replace it with fields of my own?
Can I leave the content of the first condition empty?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-17-2017 04:59 AM

$job.resultCount$ is default token available for Search Job. So you can use as it is. You can leave content of first Condition empty however, you can also keep just noe condition if you dont need to perform anything for no results:

   <condition match="$job.resultCount!=0$">
       <unset token="some_token"></unset>
   </condition>

OR

   <condition match="$job.resultCount>0$">
       <unset token="some_token"></unset>
   </condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-19-2017 10:54 PM

@vshakur, please accept the answer to mark this question as answered. If you require further assistance, do let us know.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-20-2017 09:06 AM

I just have one more question:
Does $job.resultCount$ changes at real time as search process continues or is its value obtained at the end of the search?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-20-2017 09:12 AM

@vshakur, that actually depends upon which search event handler you are using. If you use <progress>, it will update as the search run. If you just want to display the final value after the search completes you can use <done> instead.

Read about Search Event Handlers in the Splunk Documentation to understand this concept along with examples.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-16-2017 11:00 PM

@vshakur, you might have to add more details on what are you trying to achieve.
Do you need to pick just the $time_picker.latest$ token?

What do you imply by "I would like the unset of some_token to occur only for the fist timestamp of the search"

Can you provide example with data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-16-2017 11:25 PM

I edited my question.
I just want the change to occur at the moment I choose a different value in the dropdown input. Right now the change occurs long after I picked a different value in the dropdown input because it takes a long time for the search process to finish, the searching process itself triggers the change.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...