All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we display search results in HTML tags using Splunk version 6.x?

rakesh_498115
Motivator
‎01-04-2017 03:26 AM

Hi All,

In Splunk older versions, there is a concept of distributing the Splunk search results in HTML modules, or HTML tags using the results token. i.e. results[0].fieldname etc.

In Splunk 6.x version do we have any examples of getting the same functionality?

My older sample code in Splunk 5.x version:

<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" autoRun="True">
          <param name="search">index=_internal | stats count </param>
          <module name="HTML" layoutPanel="panel_row5_col1_grp1">
            <param name="html">
              <div> Search Results : $results.count$ </div>
            </param>
          </module>
        </module>

Can we have something similar for Splunk 6.x version ??

thanks,
Rakesh,.

0 Karma
Reply

niketn
Legend
‎01-04-2017 12:07 PM

Following are some of common search tokens:

Job Metadata
$job.earliestTime$ - Initial time a search job starts
$job.latestTime$ - Latest time recorded for the search job
$job.resultCount$ - Number of results returned by the search job
$job.runDuration$ - Time, in seconds, that the search took to complete
$job.messages$ - List of error and debug messages generated by the search job

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Refer to Search Result Setter example on the Splunk 6.x Dashboard Example App.

    <search>
      <query>index=_internal |  top sourcetype</query>
      <earliest>-60m</earliest>
      <latest>now</latest>
      <!-- Use the following search events to access job properties, and set tokens that can be accessible throughout the page -->
      <!-- Progress event has access to job properties only (not first result row) -->
      <progress>
        <set token="sourcetype_count">$job.resultCount$</set>
      </progress>
      <cancelled>
        <unset token="sourcetype_count"></unset>
      </cancelled>
    </search>

Also for using HTML Panels in Splunk Dashboard refer to Null Search Swapper example. Following is a snippet from the same

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

rakesh_498115
Motivator
‎01-05-2017 12:05 AM

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma
Reply

niketn
Legend
‎01-05-2017 12:24 AM

I don't think there is way through Simple XML. You can do it either through SDK or JavaScript Extensions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

rakesh_498115
Motivator
‎01-05-2017 12:05 AM

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...