Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Advanced XML in Splunk for Single Value

abhayneilam
Contributor
‎04-02-2014 11:15 AM

Hi,

I want to show the output in the following ways :

Today_Count : 1023
Yesterday_Count : 3456
Error_Count : 58657
Day1_count : 5757 average
Day2_Count : 8898 average

Now , I am using "single value" and using panel_row1_col1_grp1 , panel_row1_col1_grp2 , panel_row1_col1_grp3, panel_row1_col1_grp4 , so on , but the output is coming like :

Today_Count : 1023 Yesterday_Count : 3456 Error_Count : 58657 .....

The numeric value I am getting after running various queries.

Please help me to allign the results in a vertical manner instead of horizontal manner

Thanks in advance !!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2014 11:35 AM

I like to use HTML modules for that. You can use <br/> and other tags to place the text where you like. You'll need the SideviewUtils app, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2014 05:18 AM

I assumed all of your results were from a single query. If you can't combine your queries then you may want to experiment with putting an HTML module after each query with all of the HTML writing to the same layoutPanel. With any luck, each HTML module will append its output rather than overwrite what the previous HTML module wrote.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhayneilam
Contributor
‎04-02-2014 12:43 PM

"afterlable" is a param for "single Value" in Splunk.
Beforelable and Afterlable is used to put the string after and before the splunk results.
By the way : I have 6 queries running and each generating some count , how do I fit into your solution :
module name="HTML" layoutPanel="panel_row1_col1" autoRun="True">

  Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2014 12:12 PM

I'm not sure what "afterlabel" is. You should get results close you those you seek using the following within your Search module:

<module name="HTML" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="html"><![CDATA[
      Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average
    ]]></param>
  </module>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhayneilam
Contributor
‎04-02-2014 12:02 PM

I have done that but nothing is happening , I am using html module under "afterlabel" param . I want to use "enter" after afterlabel param so that after each count it will go to the new line.

0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 11:35 AM

You can use HTML module to generated more formatted output. This can give your a start (using sideview util)

<module name="Search">
  <param name="search">
    <![CDATA[
Your Search giving field1, field2...
                        ]]>
  </param>

  <module name="ResultsValueSetter">
    <param name="fields">field1, field2...</param>
    <!--html-->

    <module name="HTML" layoutPanel="panel_row1_col1" group="Panle Header">
      <param name="html">
        <![CDATA[             

<table cellpadding="0" cellspacing="0" style="width: 100%;">
  <tr>
      <td>
          <table cellpadding="4" cellspacing="0" style="width: 100%;">
              <tr>
                  <td align="left">
                     <font size="2"><b> Field1 Label :</b></font>
                  </td>
                  <td>
                      $field1$
                  </td>
                  <td>
                      &nbsp;
                  </td>
              </tr>
              <tr>
                  <td align="left">
                       <font size="2"><b> Field2 Label :</b></font>
                  </td>
                  <td>
                      $field2$
                  </td>
                  <td>
                      &nbsp;
                  </td>
              </tr>
        </table>
     </td>
  </tr>
</table>  ]]>
      </param>
    </module>
  </module>
  <!-- ResultsValueSetter-->
</module>
0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 01:16 PM

Combine all your search into one result set (may be using appendcols) to get one result row with multiple column. Remove all your single value modules and add this Search-ResultValueSetter-HTML module combination.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...