topic Custom Event Renderer in Splunk Search

Custom Event Renderer

wollinet — Thu, 22 Jul 2010 20:22:08 GMT

I'm trying to write a custom event renderer for an event type. I want to change the event display to a single field of the event. Basically it's working:

<%def name="event_raw(job, event, request, options, xslt)"> 
        <% msg = event.fields.get('message') %> 
        % if msg is None: 
                <%parent:event_raw job="${job}", event="${event}", request="${request}", options="${options}", xslt="${xslt}" />
        % else: 
                <pre class="event">${msg}</pre> 
        % endif 
</%def>

The problem is that I'm loosing the segmentation functionality (highlighting and selection in the GUI). It seems that this is achieved with the event.raw.toXml() call. Can I do something like that with any field ?

Thx for any help, Wollinet

Re: Custom Event Renderer

Johnvey — Wed, 13 Oct 2010 04:57:37 GMT

Native segmentation is only available on the raw event text. Fields are simple lists and are never segmented. You can recreate segmentation logic on the value of your fields and then render them as segments by generating something like:

<pre class="event"><em class="t">SOME_VALUE_HERE</em></pre>

The UI will handle the hover and clicking. The event fields do not have a matching .toXml() method.

Re: Custom Event Renderer

wollinet — Wed, 13 Oct 2010 13:19:33 GMT

Thx fpr your answer. Support told me that, too. But unfortunately I have to handle a bunch of different event formats (some of them XML). They are all wrapped in a message which I tried to remove with this approach.

But even if it would work, there are a lot more problems:
- export still uses the raw format
- field extraction dialog uses the raw format
- and a lot more

So we ended up stripping the message part from the event and put everything we need from it (basically meta data) into indexed fields.