Alerting

How do you get a single value in XML and pass the result to JavaScript?

WXY
Path Finder

Hello,

I want to get a count value from a single value and pass the count value to a JavaScript file.

The dashbord XML is:

    <form script="test.js">
      <label>Sound</label>
      <row>
        <panel>
          <single>
            <search>
              <query>index="_internal" | stats count</query>
              <earliest>-15m</earliest>
              <latest>now</latest>
              <sampleRatio>1</sampleRatio>
            </search>
            <option name="drilldown">none</option>
          </single>
        </panel>
      </row>

    </form>

I want to get the count value to JS . And, if the result value is greater than 3000, get alert ().

What should I do?

Tags (3)
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @WXY,

Did either of the answers below solve your problem? If so, please resolve this post by approving one of them. If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks!

0 Karma

niketn
Legend

@WXY slightly different approach than @kamlesh_vaghela. Since, you are using <single> Value visualization (your results are single row), you can use predefined token $result.<fieldname>$ to get the final stats count using search event handlers <progress> or <done> depending on your use-case. (I have used done in the example)

The following example illustrate two approaches:
1) Using <eval> to set required flag token which displays validation alert message in the <html> panel using depends attribute. (The message in simple XML is not displayed in case token is not set).
2) Use Default Token Model in Simple XML JS Extension using Splunk JS and get the value using token change event handler in JS. Finally, show the alert message based on the result count.

Following is the Simple XML Code example:

<form script="validation_alert.js">
  <label>Alert based on stats threshold</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd
| stats count as Total</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="tokResultCount">0</set>
              <unset token="tokAlertMsgSimpleXML"></unset>
            </condition>
            <condition>
              <set token="tokResultCount">$result.Total$</set>
              <eval token="tokAlertMsgSimpleXML">case($result.Total$>=3000,"true")</eval>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
      <html depends="$tokAlertMsgSimpleXML$">
        <div style="color:red">More than 3000 events!</div>
      </html>
    </panel>
  </row>
</form>

Following is the required Javascript code validation_alert.js

require([
                "jquery", 
                "splunkjs/mvc",
                "splunkjs/mvc/simplexml/ready!"],
function($,
                mvc) {
    var defaultTokenModel = mvc.Components.get("default");
    defaultTokenModel.on("change:tokResultCount",function(newTokResultCount,tokResultCount,options){
        if(tokResultCount!==undefined){
            var intTotal;
            intTotal=parseInt(tokResultCount);
            if(intTotal>=3000){
                alert("More than 3000 events!");
            }
        }       
    });
});

Please try out and confirm. PS: If you are using Simple XML approach using depends attribute then JS will not be required.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@WXY

Can you please try below sample dashboard?

XML

<dashboard script="single_view.js">
  <label>Single View</label>
  <row>
    <panel>
      <single>
        <search id="my_single_view_search_manager">
          <query>index="_internal" | stats count </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</dashboard>

Javascript: single_view.js

require([
    "jquery",
    "splunkjs/mvc/searchmanager",
    "splunkjs/mvc",
    "splunkjs/mvc/simplexml/ready!"
], function (
    $,
    SearchManager, mvc
) {
        var my_single_view_search_manager =mvc.Components.getInstance("my_single_view_search_manager"); 
        var myResults = my_single_view_search_manager.data("results"); // get the data from that search
        myResults.on("data", function(){
            resultArray = myResults.data().rows;
            console.log("hieeee",resultArray);
            if(resultArray[0]>3000){
                alert("Above 3000");
            }
            else {
                console.log("Under/Or 3000")
            }
        });
 });

Here, I have given id to single view search manager, ie. my_single_view_search_manager and accessed the result in javascript. You can see the single view result comparison code in js also. I hope it will help you.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...