All Apps and Add-ons

Web Framework SearchManager to Token

cmwhite
Explorer

My question is about how to set a token value in a django template taken from the results of a searchmanager job.

For example:

  • Searchmanager runs a search across an index that provides a username field in the results
  • Set token $username$ to the result of that search
  • Use token in content block, use token in another searchmanager

I've tried something similar to this:


{% block content %}
...
<span id=testHTMLTag></span>
...
{% endblock content%}

{% block managers %}
{% searchmanager
id="current_username"
search='| rest /services/authentication/current-context | fields username'
%}
{% endblock managers %}

{% block js %}

<script>

require(["splunkjs/ready!"], function(mvc) {
    var current_username = mvc.Components.getInstance("current_username");
    var tokens = mvc.Components.getInstance("default");

    document.getElementById('testHTMLTag').innerHTML = current_username.data("result");

    tokens.set({
        "username": var tokens = mvc.Components.getInstance("default")[0].username;
    });

</script>

{% endblock js %}


The problem here is that I'm black box testing against the searchmanager results model since I've been unable to locate sufficient documentation that describes the results model object and how to interact with it.

I realize there are a lot of ways to skin the username cat, what I'm interested in is a more generic approach to extracting specific row/column data from a search and assigning it to tokens for use by other Splunk components.

I will also realize that I might be going down a huge rabbit hole with the obvious answer staring me right in the face. In short I would love to be able to do a ResultsValueSetter in the Web Framework.

Clears as mud?

Thanks,
Chris

chrisdopuch
Path Finder

Black boxing the search results is unnecessary. Just do a console.log(search_id) in the console, and peruse the object it returns. You can view all the columns and rows of the returned data this way, and then determine what you want and what chain of attributes to reference in order to get it.

0 Karma

ineeman
Splunk Employee
Splunk Employee

I wanted to create a simple example for you that shows how you can extract the result contents of a specific search and push the values into tokens. The full HTML is below.

The general gist is that the search results are not pushed automatically into tokens. This is done for a few reasons:
1. Not to pollute the token namespace for no reason.
2. Tokens are generally "simple" values, i.e. strings, integers, booleans. Search results are complex values (arrays/dictionaries), and we have no way for you to index into them. As such, we'd have to push each row and each column of each row into its own token, which is what would cause the pollution alluded to in (1).

To avoid these issues, we simply leave it up to the developer to decide what will be present in their tokens.

Let us know if this answers your question or if you want any further clarification.


{% extends "splunkdj:base_with_app_bar.html" %}

{% load splunkmvc %}

{% block title %}Itay's Test Page{% endblock title %}

{% block css %}
    <link rel="stylesheet" type="text/css" href="{{STATIC_URL}}splunkjs/css/dashboard.css" />
{% endblock css %}

{% block content %}

<div class="dashboard-body container-fluid main-section-body">
    <div class="row">
        <div class="span12 dashboard-header clearfix">
            <h2>Test Page</h2>
            <button id="start">Start!</button>
        </div>
    </div>
    <div class="dashboard-row">
        <div class="dashboard-cell" style="width: 100%;">
            <div class="dashboard-panel">
                <div class="dashboard-element">
                    <div class="panel-head">

                    </div>
                    <div class="panel-body">
                        <span id="holder">No sourcetype set</span>
                    </div>
                </div>
            </div>
        </div>
    </div>
    <div class="dashboard-row">
        <div class="dashboard-cell" style="width: 100%;">
            <div class="dashboard-panel">
                <div class="dashboard-element">
                    <div class="panel-head">

                    </div>
                    <div class="panel-body">
                        {% eventsviewer id="events" managerid="othersearch" count=3 %}
                    </div>
                </div>
            </div>
        </div>
    </div>
</div>

{% endblock content %}

{% block managers %}
    {% searchmanager
        autostart=False
        id="mysearch"
        search="| metadata index=_internal type=sourcetypes"
    %}
    {% searchmanager
        autostart=True
        id="othersearch"
        search="index=_internal sourcetype=$mysourcetype$ | head 10"|token_safe
    %}
{% endblock managers %}

{% block js %}
<script>
require(["splunkjs/ready!"], function(mvc) {
    var tokens = mvc.Components.get("default");
    var manager1 = mvc.Components.get("mysearch");
    var manager2 = mvc.Components.get("othersearch");

    tokens.on("change:mysourcetype", function() {
        $("#holder").text(tokens.get("mysourcetype")); 
    });

    var resultsModel = manager1.data("results", {count: 0, output_mode: "json"});
    resultsModel.on("data", function() {
        if (!resultsModel.hasData()) {
            alert("No data!");
            return;
        }

        var data = resultsModel.data();
        var results = data.results;
        var lastRow = results[results.length - 1];
        var sourcetype = lastRow.sourcetype;

        tokens.set("mysourcetype", sourcetype);
    });

    $("#start").on("click", function() {
        manager1.startSearch(); 
    });
})
</script>
{% endblock js %}

marco_sulla
Path Finder

This is extremely useful... what about add it in documentation?

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

To my knowledge there is both docs for obtaining results from searches and for setting tokens.

0 Karma

marco_sulla
Path Finder

Link please?

0 Karma

cmwhite
Explorer

Something is seriously wrong with the edit captcha. Lines with desired behavior but not working pseudo code:

  // Does **NOT** work. I was trying to guess the searchmanager object interface.
    // Specifically current_username.data("result")
    document.getElementById('testHTMLTag').innerHTML = current_username.data("results");

// Does NOT work. I was trying to guess the searchmanager object interface.
// current_username.data("results")[0].username
"username": var tokens = current_username.data("results")[0].username;

0 Karma

cmwhite
Explorer

aelliott is correct, I'm interested in the full process from searchmanager to setting a token from the results via javascript and/or any other mechanism available in the Web Framework.

I was not clear in my post, however, that the example code is not functioning, the calls to the current_username object are not accurate, but rather an example of black box guesswork on what the results model is expecting.

I've commented the erroneous rows that do NOT work, but I hoped it would help convey the desired behavior.

0 Karma

aelliott
Motivator

Chris, is this working using the method you are using above?

0 Karma

aelliott
Motivator

he wants to set a value of a token based on the result of a search. So basically extract a specific value of a given column through javascript so that he can use it to set a token.

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

extracting specific row/column data from a search

Is this the actual question? The title of this post suggests that you have a question about tokens, but it's not clear what that is exactly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...