We have already learned tokens and the use of eval tokens; now we will learn to use conditional tokens to set and unset the search query of a panel depending upon the result of the conditional tokens. Conditional tokens work similarly to an if loop used in programming languages. In a null search swapper, we will set tokens from the search manager to control behaviors on the page. Each search result outputs metadata around the search, the job, the server, and even the results. This feature helps users to access and set tokens from that metadata to be used throughout the page.
The null search swapper can be used to hide visualization if the result of a search query is null/empty. This kind of customization can be very useful when building highly dynamic dashboards for enterprises. For instance, the null search swapper can be used to hide a specific panel if the search result outputs nothing. So, since now the output is available instead of occupying space in the dashboard, showing no results to display, that panel will be hidden:
A conditional operation includes functions like the following:
- Modifying the search to run on the basis of a search query
- Hiding or displaying the panel or content of the panel on the basis of a condition
- Selecting a view to open based on a token value
The following are the tokens which can be used with a conditional operation with form inputs. The elements containing the attributes depends and rejects use the <set> and <unset> elements to set the token values that these attributes consume:
<change>: A container element for the conditions that you define<condition>: Sets the condition based on the value of the input selection<link>: A link can be specified to a destination based on a given condition<set>: Sets the value for the given conditional token<unset>: Unsets a token which was previously set
Let's understand what the use of the null search swapper is by using an example, and then we will go through the implementation part of the null search swapper.
In our example, we have two radio options asking the user to choose either one. The following are the options of the two radio buttons in the example used, along with the description:
Sourcetype=splunkd: This search will run a search query (index=_internal sourcetype=splunkd) and the result will be plotted in a bar chartSourcetype=null: This search will run a search query (index=_internal sourcetype=null) and there will be no result returned; hence, the chart panel will be hidden
The following is the sample output of the null search swapper example when the first radio option is chosen:
The output of the null search swapper example dashboard when the second radio option (sourcetype=null) is selected. Since the result of the search query is null/no events, the panel will be hidden, with a message specified in the XML code. The following image is the example output image:
Since we have seen, with the help of an example, the use of the null search swapper in the Splunk dashboard, let us have a look at the implementation part of it. The following are the changes required in the XML source code of the dashboard to implement the null search swapper on Splunk.
This section of code is for the radio button menu. The important point to note here is the token (radio_option), which we will be using in the later section for condition evaluation. The following code snippet describes which search query will run on the respective selection of a radio button:
The following code snippet uses a conditional tag to match the specific condition (the count of the search result). If the value of the search result is equal to zero, then the token (show_html) is set and otherwise, it is unset. The following code is written in the <progress> tag, as the code job.resultCount is used to set/unset the token:
Once the conditional tag is assigned with a value and the respective code is defined as shown, the preceding defined token is used to render a visualization action on the dashboard. In the following code snippet, as already explained, rejects and depends tokens are used to unset and set, respectively. If the condition matches an HTML paragraph specified is shown on the dashboard and if it doesn't match, then the result with the bar chart visualization will be visible:
Thus, null search swapper can be used to hide panels when the result of a search query is null, that is, the result of the search query returns nothing. The null search swapper code snippet can be modified as per need, and different conditions can be specified in the <condition> tag to get the desired result on the dashboard.