Dashboards & Visualizations

Hide a panel when the results of a search return

kiddsupreme
Explorer

Hello,

I'm sure I am missing something simple, but thought I should ask. I am running a search that does the following:

Fields
- dv_node = The string that holds the hostname of devices
- dv_number = A unique alert ID #
- state = a value of "Processed" when opened and a value of "Closed" when closed
- dv_severity = Clear means the alert has closed

The first part of the search grabs the alerts that are active. The second part of the search grabs the alerts that are closed. If it finds a match between the dv_number of an ACTIVE alert in the 1st search & the dv_number of a CLOSED alert in the 2nd search, eliminate that dv_number from the final count. This is because the logs we process may have many entries along the way, but there should be at LEAST 1 ACTIVE entry and 1 CLOSED entry in the logs (Since, if something alarms, it has to eventually clear right?).

At this point, the only thing that should be showing up are active items. At this point, we run a dedup to eliminate those "many entries along the way" log. Basically, lets ignore everything that came after that initial alert, until a matching closed event is found.

Finally, do a count by dv_node to get a # of active entries per hostname.

 <panel>
  <title>Active Events (Last 5 minutes)</title>
  <table>
    <search>
      <query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ]  | dedup dv_number | stats count by dv_node</query>
      <earliest>-5m</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
      <refresh>2m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>

I went ahead and tried adjusting it to the following:

<panel>
   <title>Active Events (Last 5 minutes)</title>
   <table>
     <search>
       <query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ]  | dedup dv_number | stats count by dv_node</query>
       <earliest>-5m</earliest>
       <latest>now</latest>
       <sampleRatio>1</sampleRatio>
       <refresh>2m</refresh>
       <refreshType>delay</refreshType>
<progress>
            <condition match="'job.resultCount' == 0">
                <set token="panel_show">false</set>
            </condition>
            <condition>
                <unset token="panel_show"/>
            </condition>
        </progress> 
     </search>
     <option name="count">100</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">cell</option>
     <option name="percentagesRow">false</option>
     <option name="rowNumbers">false</option>
     <option name="totalsRow">false</option>
     <option name="wrap">true</option>
   </table>
 </panel>

Now with all the preamble out of the way, this is what I'm trying to accomplish: If the ACTIVE events are found to be 0, can I make the panel disappear? Essentially, I only want the panel to "appear" on screen when it finds an ACTIVE alert. However, when I run my dashboard I still see the panel, with the "No Results Found".

I hope that makes sense. Thanks in advance.

0 Karma
1 Solution

niketn
Legend

@kiddsupreme, you would need to read about depends/rejects attribute to understand how they work.
When depends is used with a visualization element, it shows the element only when token is set (could be any value) and hides when token is unset (is undefined or null).
With rejects the same behavior is reversed, i.e. when the token is set the element is hidden and when the token is unset the element is displayed.
Refer toNull Search Swapper example in Splunk Dashboard Examples App or an example with depends in Splunk Docs

In your case since you are setting the token when number of results returned is 0 you should also add the token as rejects which is missing in the code you have provided. Try the following code and confirm:

 <panel rejects="$panel_show$">
  ....
  ....
  ....
      <progress>
         <condition match="$job.resultCount$==0">
             <set token="panel_show">true</set>
         </condition>
         <condition>
             <unset token="panel_show"></unset>
         </condition>
     </progress>

PS: If you are on Splunk 6.5 or higher, you should use <progress> search event handler. If you are on Splunk 6.4 or previous version you should use <preview> search event handler instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@kiddsupreme, you would need to read about depends/rejects attribute to understand how they work.
When depends is used with a visualization element, it shows the element only when token is set (could be any value) and hides when token is unset (is undefined or null).
With rejects the same behavior is reversed, i.e. when the token is set the element is hidden and when the token is unset the element is displayed.
Refer toNull Search Swapper example in Splunk Dashboard Examples App or an example with depends in Splunk Docs

In your case since you are setting the token when number of results returned is 0 you should also add the token as rejects which is missing in the code you have provided. Try the following code and confirm:

 <panel rejects="$panel_show$">
  ....
  ....
  ....
      <progress>
         <condition match="$job.resultCount$==0">
             <set token="panel_show">true</set>
         </condition>
         <condition>
             <unset token="panel_show"></unset>
         </condition>
     </progress>

PS: If you are on Splunk 6.5 or higher, you should use <progress> search event handler. If you are on Splunk 6.4 or previous version you should use <preview> search event handler instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kiddsupreme
Explorer

Thank you; that is working perfectly. I did however need to remove the after the because Splunk's error message reads: "Unexpected close tag". Once I removed that tag, it worked as expected. I appreciate not only the solution, but your detailed explanation; it definitely helped me visualize how it works. Thanks again!

kiddsupreme
Explorer

Okay, apparently I didn't have my XML quite lined up... once I fixed that, the command worked as well.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...