Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hide a panel when the results of a search return

kiddsupreme
Explorer
‎04-10-2018 03:59 PM

Hello,

I'm sure I am missing something simple, but thought I should ask. I am running a search that does the following:

Fields
- dv_node = The string that holds the hostname of devices
- dv_number = A unique alert ID #
- state = a value of "Processed" when opened and a value of "Closed" when closed
- dv_severity = Clear means the alert has closed

The first part of the search grabs the alerts that are active. The second part of the search grabs the alerts that are closed. If it finds a match between the dv_number of an ACTIVE alert in the 1st search & the dv_number of a CLOSED alert in the 2nd search, eliminate that dv_number from the final count. This is because the logs we process may have many entries along the way, but there should be at LEAST 1 ACTIVE entry and 1 CLOSED entry in the logs (Since, if something alarms, it has to eventually clear right?).

At this point, the only thing that should be showing up are active items. At this point, we run a dedup to eliminate those "many entries along the way" log. Basically, lets ignore everything that came after that initial alert, until a matching closed event is found.

Finally, do a count by dv_node to get a # of active entries per hostname.

 <panel>
  <title>Active Events (Last 5 minutes)</title>
  <table>
    <search>
      <query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ]  | dedup dv_number | stats count by dv_node</query>
      <earliest>-5m</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
      <refresh>2m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>

I went ahead and tried adjusting it to the following:

<panel>
   <title>Active Events (Last 5 minutes)</title>
   <table>
     <search>
       <query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ]  | dedup dv_number | stats count by dv_node</query>
       <earliest>-5m</earliest>
       <latest>now</latest>
       <sampleRatio>1</sampleRatio>
       <refresh>2m</refresh>
       <refreshType>delay</refreshType>
<progress>
            <condition match="'job.resultCount' == 0">
                <set token="panel_show">false</set>
            </condition>
            <condition>
                <unset token="panel_show"/>
            </condition>
        </progress> 
     </search>
     <option name="count">100</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">cell</option>
     <option name="percentagesRow">false</option>
     <option name="rowNumbers">false</option>
     <option name="totalsRow">false</option>
     <option name="wrap">true</option>
   </table>
 </panel>

Now with all the preamble out of the way, this is what I'm trying to accomplish: If the ACTIVE events are found to be 0, can I make the panel disappear? Essentially, I only want the panel to "appear" on screen when it finds an ACTIVE alert. However, when I run my dashboard I still see the panel, with the "No Results Found".

I hope that makes sense. Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-10-2018 10:11 PM

@kiddsupreme, you would need to read about depends/rejects attribute to understand how they work.
When depends is used with a visualization element, it shows the element only when token is set (could be any value) and hides when token is unset (is undefined or null).
With rejects the same behavior is reversed, i.e. when the token is set the element is hidden and when the token is unset the element is displayed.
Refer toNull Search Swapper example in Splunk Dashboard Examples App or an example with depends in Splunk Docs

In your case since you are setting the token when number of results returned is 0 you should also add the token as rejects which is missing in the code you have provided. Try the following code and confirm:

 <panel rejects="$panel_show$">
  ....
  ....
  ....
      <progress>
         <condition match="$job.resultCount$==0">
             <set token="panel_show">true</set>
         </condition>
         <condition>
             <unset token="panel_show"></unset>
         </condition>
     </progress>

PS: If you are on Splunk 6.5 or higher, you should use <progress> search event handler. If you are on Splunk 6.4 or previous version you should use <preview> search event handler instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-10-2018 10:11 PM

@kiddsupreme, you would need to read about depends/rejects attribute to understand how they work.
When depends is used with a visualization element, it shows the element only when token is set (could be any value) and hides when token is unset (is undefined or null).
With rejects the same behavior is reversed, i.e. when the token is set the element is hidden and when the token is unset the element is displayed.
Refer toNull Search Swapper example in Splunk Dashboard Examples App or an example with depends in Splunk Docs

In your case since you are setting the token when number of results returned is 0 you should also add the token as rejects which is missing in the code you have provided. Try the following code and confirm:

 <panel rejects="$panel_show$">
  ....
  ....
  ....
      <progress>
         <condition match="$job.resultCount$==0">
             <set token="panel_show">true</set>
         </condition>
         <condition>
             <unset token="panel_show"></unset>
         </condition>
     </progress>

PS: If you are on Splunk 6.5 or higher, you should use <progress> search event handler. If you are on Splunk 6.4 or previous version you should use <preview> search event handler instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

kiddsupreme
Explorer
‎04-11-2018 11:39 AM

Thank you; that is working perfectly. I did however need to remove the after the because Splunk's error message reads: "Unexpected close tag". Once I removed that tag, it worked as expected. I appreciate not only the solution, but your detailed explanation; it definitely helped me visualize how it works. Thanks again!

Reply
Solved! Jump to solution

kiddsupreme
Explorer
‎04-11-2018 12:39 PM

Okay, apparently I didn't have my XML quite lined up... once I fixed that, the command worked as well.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...