All Apps and Add-ons

Can we display search results in HTML tags using Splunk version 6.x?

Motivator

Hi All,

In Splunk older versions, there is a concept of distributing the Splunk search results in HTML modules, or HTML tags using the results token. i.e. results[0].fieldname etc.

In Splunk 6.x version do we have any examples of getting the same functionality?

My older sample code in Splunk 5.x version:

<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" autoRun="True">
          <param name="search">index=_internal | stats count </param>
          <module name="HTML" layoutPanel="panel_row5_col1_grp1">
            <param name="html">
              <div> Search Results : $results.count$ </div>
            </param>
          </module>
        </module>

Can we have something similar for Splunk 6.x version ??

thanks,
Rakesh,.

0 Karma

SplunkTrust
SplunkTrust

Following are some of common search tokens:

Job Metadata
$job.earliestTime$ - Initial time a search job starts
$job.latestTime$ - Latest time recorded for the search job
$job.resultCount$ - Number of results returned by the search job
$job.runDuration$ - Time, in seconds, that the search took to complete
$job.messages$ - List of error and debug messages generated by the search job

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Refer to Search Result Setter example on the Splunk 6.x Dashboard Example App.

    <search>
      <query>index=_internal |  top sourcetype</query>
      <earliest>-60m</earliest>
      <latest>now</latest>
      <!-- Use the following search events to access job properties, and set tokens that can be accessible throughout the page -->
      <!-- Progress event has access to job properties only (not first result row) -->
      <progress>
        <set token="sourcetype_count">$job.resultCount$</set>
      </progress>
      <cancelled>
        <unset token="sourcetype_count"></unset>
      </cancelled>
    </search>

Also for using HTML Panels in Splunk Dashboard refer to Null Search Swapper example. Following is a snippet from the same

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma

SplunkTrust
SplunkTrust

I don't think there is way through Simple XML. You can do it either through SDK or JavaScript Extensions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma