All Apps and Add-ons

How to display two result tables on one page in splunk sideview

disha
Contributor

Right now I have one view with pulldowns. It takes data and perform the search and display the result on the page in table format.(using SimpleResultsTable).
Now I want to perform another search in the same view and need to display result table below the first one and both result table should show result when the page loads.
How to achieve that as I am not able to find out how to play with layout.
Please help.
Thanks

0 Karma

sideview
SplunkTrust
SplunkTrust

Well, let's say you have a simple view with one search and one table, like so:

<view autoCancelInterval="90" isVisible="false" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
  <label>Example View</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />
  <module name="SideviewUtils" layoutPanel="appHeader" />  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>

  <module name="HTML" layoutPanel="viewHeader">
    <param name="html"><![CDATA[
    <h1>This is an HTML module.   Put whatever HTML here you like. 
    ]]></param>
  </module>

  <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group="per_sourcetype_thruput" | stats sum(kb) by series</param>
    <param name="earliest">-24h</param>

    <module name="HTML">
      <param name="html"><![CDATA[
        <h3>$results.count$ sourcetypes found $search.timeRange.label$</h3>
      ]]></param>
    </module>

    <module name="JobProgressIndicator"></module>

    <module name="Pager">
      <module name="SimpleResultsTable"></module>
    </module>
  </module>
</view>

And instead of one search putting its search results into one table, you want two searches putting their search results into two tables, you just add your new config beneath the first block, but not nested inside that first block, and you change the layoutPanel attributes if you want the second table to be in another panel. It ends up looking like this:

<view autoCancelInterval="90" isVisible="false" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
  <label>Example View</label>
  <module name="AccountBar" layoutPanel="appHeader" />
  <module name="AppBar" layoutPanel="appHeader" />
  <module name="SideviewUtils" layoutPanel="appHeader" />  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="maxSize">2</param>
    <param name="clearOnJobDispatch">False</param>
  </module>

  <module name="HTML" layoutPanel="viewHeader">
    <param name="html"><![CDATA[
    <h1>This is an HTML module.   Put whatever HTML here you like. 
    ]]></param>
  </module>

  <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group="per_sourcetype_thruput" | stats sum(kb) by series</param>
    <param name="earliest">-24h</param>

    <module name="HTML">
      <param name="html"><![CDATA[
        <h3>$results.count$ sourcetypes found $search.timeRange.label$</h3>
      ]]></param>
    </module>

    <module name="JobProgressIndicator"></module>

    <module name="Pager">
      <module name="SimpleResultsTable"></module>
    </module>
  </module>



  <module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">index=_* OR index=* | stats count by sourcetype index</param>
    <param name="earliest">-24h</param>

    <module name="HTML">
      <param name="html"><![CDATA[
        <h3>$results.count$ combinations of sourcetype and index found $search.timeRange.label$</h3>
      ]]></param>
    </module>

    <module name="JobProgressIndicator"></module>

    <module name="Pager">
      <module name="SimpleResultsTable"></module>
    </module>
  </module>
</view>
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...