Is there a way to access the results of a query in the Simple XML of a dashboard (Source)? In essence, is there a way to parse the results of a search to the Simple XML (maybe using a variable or keyword)? Also, after splitting by a particular field, is there a way to manually change the text that is displayed by the boxes in the visualization? I want to be able to set the text being displayed to the values of a particular field in the search result. Thanks
 
					
				
		
@mawomommoh, Try the following.
Step 1) Use the split by Action option in Trellis as you have used in first screenshot.
Step 2) Add | eval Result=Action as the final pipe in your query to Update the value Result and display Action value instead
             source="xxx" host="xxx" index="xxx_xml" sourcetype="xml" 
             | stats distinct_count(Result) by Action, Result
             | eval color=case(Result=="Passed","green",Result=="Skipped","gold", Result=="Failed","red")
             | eval Result=Action
Step 3) Use CSS Override to hide Status Indicator Header Label Text.
      div.facet-label{
        visibility:hidden !important;
      }
Following is the run anywhere example on top of Splunk's _internal index, based on the details provided:
<dashboard>
  <label>Status Indicator with Trellis</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSStyle$">
        <style>
          div.facet-label{
            visibility:hidden !important;
          }
        </style>
      </html>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| stats distinct_count(component) as dcComponent by component,log_level
| eval color=case(log_level=="INFO","#65a637",log_level=="WARN","#f7bc38", log_level=="ERROR","#d93f3c")
| eval log_level=component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="height">480</option>
        <option name="drilldown">none</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </viz>
    </panel>
  </row>
</dashboard>
 
					
				
		
@mawomommoh, Try the following.
Step 1) Use the split by Action option in Trellis as you have used in first screenshot.
Step 2) Add | eval Result=Action as the final pipe in your query to Update the value Result and display Action value instead
             source="xxx" host="xxx" index="xxx_xml" sourcetype="xml" 
             | stats distinct_count(Result) by Action, Result
             | eval color=case(Result=="Passed","green",Result=="Skipped","gold", Result=="Failed","red")
             | eval Result=Action
Step 3) Use CSS Override to hide Status Indicator Header Label Text.
      div.facet-label{
        visibility:hidden !important;
      }
Following is the run anywhere example on top of Splunk's _internal index, based on the details provided:
<dashboard>
  <label>Status Indicator with Trellis</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSStyle$">
        <style>
          div.facet-label{
            visibility:hidden !important;
          }
        </style>
      </html>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| stats distinct_count(component) as dcComponent by component,log_level
| eval color=case(log_level=="INFO","#65a637",log_level=="WARN","#f7bc38", log_level=="ERROR","#d93f3c")
| eval log_level=component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="height">480</option>
        <option name="drilldown">none</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </viz>
    </panel>
  </row>
</dashboard>
Wow! Thank you so much @niketnilay . It worked! I really appreciate the help 🙂
 
					
				
		
@mawomommoh, glad it worked... the initial code you posted seemed familiar... wink ... wink!!! 😉
 
					
				
		
@mawomommoh, based on the description seems like you might have to use Simple XML JS Extension. However, you might have to add more details for the community experts to help you. Like what is the underlying search and what is the expected change? If you can add a mock screenshot of what you have and what you want would also be of great help!
Thanks @niketnilay. Here is a more detailed explanation of the problem and what I am trying to achieve: https://answers.splunk.com/comments/613505/view.html
 
					
				
		
Not able to understand clearly ...provide your sample xml and what you want to achieve .
Here is the simple xml I am trying to manipulate (from the 'Source' Edit dashboard option):
<dashboard stylesheet="xxx.css" script="xxx.js">
  <label>xxxReport</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSOverride$">
        <style>
          .splunk-status-indicator {
            border-radius: 35px !important;
          }
        </style>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>source="xxx" host="xxx" index="xxx_xml" sourcetype="xml" 
            | stats distinct_count(Result) by Action, Result
            | eval color=case(Result=="Passed","green",Result=="Skipped","gold", Result=="Failed","red")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">500</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">check</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">Action</option>
      </viz>
    </panel>
  </row>
</dashboard>
Here is a sample out of how the dashboard appears based on the xml above: Status Indicator Dashboard when split by Action: https://ibb.co/dRP1Ob
What I want to achieve:
Instead of the values of the Result field (e.g. 'Passed', 'Skipped') being displayed in the boxes in the dashboard, I want to display the values of the Action field (e.g. 'Place order', 'Call customer',etc) in those boxes dynamically based on the results of my query.
If I split by the Result field, the dashboard appears like this: Status Indicator Dashboard when split by Result: https://ibb.co/n1Gnww
The final goal is that the dashboard should appear something like this: Status Indicator Final Goal: https://ibb.co/hVJQGw
I hope this clarifies things better. Thanks in advance!
 
					
				
		
In what visualization you want to do this.. table/chart/html?
I am using the Status Indicator Visualization App. I am trying to manipulate the Simple XML of the dashboard created by this app. See my response to @493669 (https://answers.splunk.com/comments/613505/view.html) for a more detailed explanation of the problem and what I am trying to achieve. Thanks in advance!
