Spread our blog

Splunk Search Event Handler: Progress

Search event handlers will enable event actions based on search results or search configuration properties. It includes actions like linking to a page, setting or unsetting tokens, and executing an eval function.

Search event handlers use predefined tokens to access the search results and search properties. The tokens available to each handler vary. In some cases, the event handler does not access a predefined token to enable action.

Event Actions: <eval>, <link>, <set>, <unset> these are the search event handler known as Event actions attribute.

Within the <progress> we can define these below tokens or job properties to get the information regarding the job properties.

  • $job.earliestTime$: Initial job start time.
  • $job.latestTime$: Latest time recorded for the search job.
  • $job.resultCount$: Number of results a search job returned.
  • $job.runDuration$: Time, in seconds, for the search to complete.
  • $job.messages$: List of error and/or debug messages generated by the search job.

There are various job properties are there.

Click here to view all possible job properties in Splunk.

Example:

Here we have created a dashboard like this,

Here we are loading a panel that is basically showing count based on sourcetyeps in the form of a bar chart.

Now below that panel, I added an extra panel that is showing the total time taken by the top panel. That is nothing but the total run time of the top query. Run time is nothing but a search job properties so to get this exact requirement we are using <progress> event handler.

Source code is given below,

<dashboard>
  <label>Splunk Search Event Handler: Progress</label>
  <search id="search_logic">
    <query>index=_internal |  top sourcetype</query>
    <earliest>0</earliest>
    <latest>now</latest>
    <progress>
      <eval token="duration">tostring(tonumber($job.runDuration$),"duration")</eval>
    </progress>
  </search>
  <row>
    <panel>
      <title></title>
      <chart>
        <title>Top sourcetypes for index=_internal</title>
        <search base="search_logic"></search>
        <option name="charting.chart">bar</option>
      </chart>
      <html>
          <h3>Duration</h3>
          <div class="custom-result-value">$duration$</div>
      </html>
    </panel>
  </row>
</dashboard>

As we can see in the top from lines 7 to 9, I have used the <progress>. Within that, I have used a <eval> tag. As I mentioned earlier you need to use “event actions tag” within the <progress> otherwise it won’t work.

You can also know about :  Understanding of Event Annotations in Splunk

In this same fashion, you can use other job properties with the <progress> tag to get their mentioned use case.

Regarding the <eval> tag we will check out this blog: “Splunk Dashboard Child Elements: Eval

Happy Splunking!!

What’s your Reaction?
+1
1
+1
+1
+1
+1
2
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here