All Apps and Add-ons

How to customize "waiting for data" on the dashboard to some text in custom SimpleXML extensions?

balkanbgboy
New Member

Hi,
I am running real time search as dashboard and when there are no logs I got "waiting for data". Is it possible to change the source XML file and display for example "no events "?

0 Karma
1 Solution

harishalipaka
Motivator
<form>
  <label>textinput</label>
  <init>
    <set token="text">"Not in your data"</set>
  </init>
  <fieldset submitButton="true">
    <input type="text" token="text">
      <label>Enter Value</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Results of $text$</title>
        <search>
          <query>|makeresults | eval user ="Hari" |eval report="send mail to secure" |append [|makeresults | eval user ="PEPITO" |eval report="Failure"] |fields - _time |where user=$text$ |appendpipe [|stats count as user |where user=0 |eval user="No Results"] </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Thanks
Harish

View solution in original post

0 Karma

harishalipaka
Motivator
<form>
  <label>textinput</label>
  <init>
    <set token="text">"Not in your data"</set>
  </init>
  <fieldset submitButton="true">
    <input type="text" token="text">
      <label>Enter Value</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Results of $text$</title>
        <search>
          <query>|makeresults | eval user ="Hari" |eval report="send mail to secure" |append [|makeresults | eval user ="PEPITO" |eval report="Failure"] |fields - _time |where user=$text$ |appendpipe [|stats count as user |where user=0 |eval user="No Results"] </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Thanks
Harish
0 Karma

balkanbgboy
New Member

shell_pci_ent_rtr_real_monitor

<panel>
  <event>
    <search>
      <query>sourcetype="udp:514" AND GH-SHELL-PCI 

NOT (145.26.24.242 OR 145.26.24.243 OR 145.26.24.245)
NOT (02:0* AND "Green => Red" OR "Red => Green")

      <earliest>rt-24h</earliest>
      <latest>rt</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">50</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">none</option>
    <option name="rowNumbers">1</option>
    <option name="table.drilldown">all</option>
    <option name="table.sortDirection">asc</option>
    <option name="table.wrap">1</option>
    <option name="type">raw</option>
    <option name="link.visible">false</option> 
  </event>
</panel>
0 Karma

balkanbgboy
New Member

this is how my search looks like so maybe you can advise how to modify it

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...