Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Advanced XML in Splunk for Single Value

abhayneilam
Contributor
‎04-02-2014 11:15 AM

Hi,

I want to show the output in the following ways :

Today_Count : 1023
Yesterday_Count : 3456
Error_Count : 58657
Day1_count : 5757 average
Day2_Count : 8898 average

Now , I am using "single value" and using panel_row1_col1_grp1 , panel_row1_col1_grp2 , panel_row1_col1_grp3, panel_row1_col1_grp4 , so on , but the output is coming like :

Today_Count : 1023 Yesterday_Count : 3456 Error_Count : 58657 .....

The numeric value I am getting after running various queries.

Please help me to allign the results in a vertical manner instead of horizontal manner

Thanks in advance !!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2014 11:35 AM

I like to use HTML modules for that. You can use <br/> and other tags to place the text where you like. You'll need the SideviewUtils app, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2014 05:18 AM

I assumed all of your results were from a single query. If you can't combine your queries then you may want to experiment with putting an HTML module after each query with all of the HTML writing to the same layoutPanel. With any luck, each HTML module will append its output rather than overwrite what the previous HTML module wrote.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhayneilam
Contributor
‎04-02-2014 12:43 PM

"afterlable" is a param for "single Value" in Splunk.
Beforelable and Afterlable is used to put the string after and before the splunk results.
By the way : I have 6 queries running and each generating some count , how do I fit into your solution :
module name="HTML" layoutPanel="panel_row1_col1" autoRun="True">

  Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2014 12:12 PM

I'm not sure what "afterlabel" is. You should get results close you those you seek using the following within your Search module:

<module name="HTML" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="html"><![CDATA[
      Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average
    ]]></param>
  </module>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhayneilam
Contributor
‎04-02-2014 12:02 PM

I have done that but nothing is happening , I am using html module under "afterlabel" param . I want to use "enter" after afterlabel param so that after each count it will go to the new line.

0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 11:35 AM

You can use HTML module to generated more formatted output. This can give your a start (using sideview util)

<module name="Search">
  <param name="search">
    <![CDATA[
Your Search giving field1, field2...
                        ]]>
  </param>

  <module name="ResultsValueSetter">
    <param name="fields">field1, field2...</param>
    <!--html-->

    <module name="HTML" layoutPanel="panel_row1_col1" group="Panle Header">
      <param name="html">
        <![CDATA[             

<table cellpadding="0" cellspacing="0" style="width: 100%;">
  <tr>
      <td>
          <table cellpadding="4" cellspacing="0" style="width: 100%;">
              <tr>
                  <td align="left">
                     <font size="2"><b> Field1 Label :</b></font>
                  </td>
                  <td>
                      $field1$
                  </td>
                  <td>
                      &nbsp;
                  </td>
              </tr>
              <tr>
                  <td align="left">
                       <font size="2"><b> Field2 Label :</b></font>
                  </td>
                  <td>
                      $field2$
                  </td>
                  <td>
                      &nbsp;
                  </td>
              </tr>
        </table>
     </td>
  </tr>
</table>  ]]>
      </param>
    </module>
  </module>
  <!-- ResultsValueSetter-->
</module>
0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 01:16 PM

Combine all your search into one result set (may be using appendcols) to get one result row with multiple column. Remove all your single value modules and add this Search-ResultValueSetter-HTML module combination.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...