Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Advanced XML in Splunk for Single Value

abhayneilam
Contributor
‎04-02-2014 11:15 AM

Hi,

I want to show the output in the following ways :

Today_Count : 1023
Yesterday_Count : 3456
Error_Count : 58657
Day1_count : 5757 average
Day2_Count : 8898 average

Now , I am using "single value" and using panel_row1_col1_grp1 , panel_row1_col1_grp2 , panel_row1_col1_grp3, panel_row1_col1_grp4 , so on , but the output is coming like :

Today_Count : 1023 Yesterday_Count : 3456 Error_Count : 58657 .....

The numeric value I am getting after running various queries.

Please help me to allign the results in a vertical manner instead of horizontal manner

Thanks in advance !!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2014 11:35 AM

I like to use HTML modules for that. You can use <br/> and other tags to place the text where you like. You'll need the SideviewUtils app, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2014 05:18 AM

I assumed all of your results were from a single query. If you can't combine your queries then you may want to experiment with putting an HTML module after each query with all of the HTML writing to the same layoutPanel. With any luck, each HTML module will append its output rather than overwrite what the previous HTML module wrote.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhayneilam
Contributor
‎04-02-2014 12:43 PM

"afterlable" is a param for "single Value" in Splunk.
Beforelable and Afterlable is used to put the string after and before the splunk results.
By the way : I have 6 queries running and each generating some count , how do I fit into your solution :
module name="HTML" layoutPanel="panel_row1_col1" autoRun="True">

  Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2014 12:12 PM

I'm not sure what "afterlabel" is. You should get results close you those you seek using the following within your Search module:

<module name="HTML" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="html"><![CDATA[
      Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average
    ]]></param>
  </module>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhayneilam
Contributor
‎04-02-2014 12:02 PM

I have done that but nothing is happening , I am using html module under "afterlabel" param . I want to use "enter" after afterlabel param so that after each count it will go to the new line.

0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 11:35 AM

You can use HTML module to generated more formatted output. This can give your a start (using sideview util)

<module name="Search">
  <param name="search">
    <![CDATA[
Your Search giving field1, field2...
                        ]]>
  </param>

  <module name="ResultsValueSetter">
    <param name="fields">field1, field2...</param>
    <!--html-->

    <module name="HTML" layoutPanel="panel_row1_col1" group="Panle Header">
      <param name="html">
        <![CDATA[             

<table cellpadding="0" cellspacing="0" style="width: 100%;">
  <tr>
      <td>
          <table cellpadding="4" cellspacing="0" style="width: 100%;">
              <tr>
                  <td align="left">
                     <font size="2"><b> Field1 Label :</b></font>
                  </td>
                  <td>
                      $field1$
                  </td>
                  <td>
                      &nbsp;
                  </td>
              </tr>
              <tr>
                  <td align="left">
                       <font size="2"><b> Field2 Label :</b></font>
                  </td>
                  <td>
                      $field2$
                  </td>
                  <td>
                      &nbsp;
                  </td>
              </tr>
        </table>
     </td>
  </tr>
</table>  ]]>
      </param>
    </module>
  </module>
  <!-- ResultsValueSetter-->
</module>
0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 01:16 PM

Combine all your search into one result set (may be using appendcols) to get one result row with multiple column. Remove all your single value modules and add this Search-ResultValueSetter-HTML module combination.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...