Dashboards & Visualizations

Can i use "job.resultCount" in Splunk 6.2.14?

swaroop_splunk_
New Member

Hi All,

I am new to Splunk and am facing an issue with assigning token value based on condition. I'm using the following code:

<form stylesheet="custom_layout_overlay_icon_mod.css">
  <label>Image Overlay with icons</label>
   <search id="SOA_status">
    <query>host="swaroops-MacBook-Pro.local" "Total Records processed" 
           | stats count</query>
    <earliest>$earliest$</earliest>
    <latest>$latest$</latest>
    <preview>
      <!--No Data - Default Icon and Value-->
      <condition match="'job.resultCount'==0">
        <set token="SOA_status_icon">$redlight_mod1.png$</set>
        <set token="SOA_status_value">0</set>
      </condition>
      <!--Else - Set Icon based on range and set value-->
      <condition>
        <eval token="SOA_status_icon">case($result.count$&gt;=1 ,"$greenlight_mod1.png$")</eval>
        <set token="SOA_status_value">$result.count$</set>
      </condition>
    </preview>
  </search>
</style>  
          <div class="ingestion_pipeline">
              <div class="image"/>
              <!--
                Environment Token $env:app$ available only Splunk Enterprise version 6.5 onwards.
                In Previous versions App Name has to be hardcoded or fetched via Javascript i.e. autodiscover.js
              -->
              <img src="/static/app/BatchDashboard/images/Splunk.png"/>
              <div class="singleValue" id="ST_upstream_status">$ST_upstream_value
                <img src="/static/app/BatchDashboard/images/$ST_upstream_icon$"/>
              </div>

My version of Splunk is 6.2.14, and yes, I did try after removing the $$ in greenlight_mod1.png as well. But the output I'm getting is $ST_upstream_value$, and instead of image, it's showing as a ? mark in the blue box.

Looks like the lines after the condition match are not being executed.

Can someone please tell me what I'm doing that's causing this error? And, if its a problem of version, do you know how i can achieve this with version 6.2.14. ?

I would be really grateful, as I have been stuck for almost 3 weeks at this point.

Thanks in advance.

Tags (2)
0 Karma
1 Solution

niketn
Legend

@swaroop_splunk_demo, as per the documentation seems like search event handlers were available from Splunk Enterprise 6.3 onward. Also <preview> and <finalized> existed before Splunk 6.5 (which replaced <progress> and <done> respectively) to access first row of $results.yourFieldName$.

Since search event handlers does not seem to be present in 6.2, some of the options you might have if you are not in a position to upgrade Splunk are to:

  1. Use Advanced XML which is deprecated now but should work with 6.2. http://docs.splunk.com/Documentation/Splunk/6.2.14/AdvancedDev/AdvancedDashboard

  2. Convert to HTML Dashboard (however, this would be irreversible i.e. HTML dashboard can not be converted back to Simple XML) and will come with its own limitations. You would need to html, css, JS and SplunkJS to code. http://docs.splunk.com/Documentation/Splunk/6.2.14/Viz/ExportHTML

  3. Use SplunkJS to access Search result. http://dev.splunk.com/view/webframework-splunkjsstack/SP-CAAAESV

For either one you should try to reach out to Splunk Support or hunt Splunk Answers for older answers specific to 6.2.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@swaroop_splunk_demo, as per the documentation seems like search event handlers were available from Splunk Enterprise 6.3 onward. Also <preview> and <finalized> existed before Splunk 6.5 (which replaced <progress> and <done> respectively) to access first row of $results.yourFieldName$.

Since search event handlers does not seem to be present in 6.2, some of the options you might have if you are not in a position to upgrade Splunk are to:

  1. Use Advanced XML which is deprecated now but should work with 6.2. http://docs.splunk.com/Documentation/Splunk/6.2.14/AdvancedDev/AdvancedDashboard

  2. Convert to HTML Dashboard (however, this would be irreversible i.e. HTML dashboard can not be converted back to Simple XML) and will come with its own limitations. You would need to html, css, JS and SplunkJS to code. http://docs.splunk.com/Documentation/Splunk/6.2.14/Viz/ExportHTML

  3. Use SplunkJS to access Search result. http://dev.splunk.com/view/webframework-splunkjsstack/SP-CAAAESV

For either one you should try to reach out to Splunk Support or hunt Splunk Answers for older answers specific to 6.2.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

result does not consistently exist at <progress> time, and starts as zero until something is returned. Not sure what <preview> might do.

Use <done>.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/PanelreferenceforSimplifiedXML#search

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...