All Apps and Add-ons

Can we display search results in HTML tags using Splunk version 6.x?

rakesh_498115
Motivator

Hi All,

In Splunk older versions, there is a concept of distributing the Splunk search results in HTML modules, or HTML tags using the results token. i.e. results[0].fieldname etc.

In Splunk 6.x version do we have any examples of getting the same functionality?

My older sample code in Splunk 5.x version:

<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" autoRun="True">
          <param name="search">index=_internal | stats count </param>
          <module name="HTML" layoutPanel="panel_row5_col1_grp1">
            <param name="html">
              <div> Search Results : $results.count$ </div>
            </param>
          </module>
        </module>

Can we have something similar for Splunk 6.x version ??

thanks,
Rakesh,.

0 Karma

niketn
Legend

Following are some of common search tokens:

Job Metadata
$job.earliestTime$ - Initial time a search job starts
$job.latestTime$ - Latest time recorded for the search job
$job.resultCount$ - Number of results returned by the search job
$job.runDuration$ - Time, in seconds, that the search took to complete
$job.messages$ - List of error and debug messages generated by the search job

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Refer to Search Result Setter example on the Splunk 6.x Dashboard Example App.

    <search>
      <query>index=_internal |  top sourcetype</query>
      <earliest>-60m</earliest>
      <latest>now</latest>
      <!-- Use the following search events to access job properties, and set tokens that can be accessible throughout the page -->
      <!-- Progress event has access to job properties only (not first result row) -->
      <progress>
        <set token="sourcetype_count">$job.resultCount$</set>
      </progress>
      <cancelled>
        <unset token="sourcetype_count"></unset>
      </cancelled>
    </search>

Also for using HTML Panels in Splunk Dashboard refer to Null Search Swapper example. Following is a snippet from the same

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rakesh_498115
Motivator

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma

niketn
Legend

I don't think there is way through Simple XML. You can do it either through SDK or JavaScript Extensions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rakesh_498115
Motivator

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...