Dashboards & Visualizations

Custom app view - one div per host, table inside divs

Motivator

I am trying to build a custom view where I show the CDP neighborhood of Cisco Nexus switches. I would like to create one HTML div per host and inside this div I want to show the CDP neighbors of this host in a table.

I have been playing with event_renderers.conf a little and trying to create a custom HTML renderer but I am stuck. I simply cannot find any good examples of how to do this. Do you have anyone I can get in touch with to give me some quick examples on how to do this?

The data I am trying to use looks like this:

host cdp_local_int cdp_remote_dvc cdp_remote_int cdp_remote_ip mnemonic
x-4105-n5596-1.mgmt.local Ethernet106/1/10 x-4105-n1000v-2 Ethernet17/5 192.168.80.253 NEIGHBOR_ADDED
x-4105-n5596-1.mgmt.local Ethernet106/1/11 x-4105-n1000v-2 Ethernet20/5 192.168.80.253 NEIGHBOR_ADDED
x-4105-n5596-1.mgmt.local Ethernet106/1/12 x-4105-n1000v-2 Ethernet19/5 192.168.80.253 NEIGHBOR_ADDED
x-4105-n5596-1.mgmt.local Ethernet106/1/13 x-4105-n1000v-1 Ethernet28/5 192.168.94.11 NEIGHBOR_ADDED
x-4105-n1000v-1 Ethernet28/5 x-4105-n5596-1 Ethernet106/1/13 192.168.94.11 NEIGHBOR_ADDED
x-4105-n5596-1.mgmt.local Ethernet106/1/15 x-4105-n1000v-1 Ethernet29/5 192.168.94.11 NEIGHBOR_ADDED
x-4105-n5596-1.mgmt.local Ethernet106/1/3 x-4105-n1000v-1 Ethernet49/5 192.168.94.11 NEIGHBOR_ADDED



So for every host, show each of its cdp_remote_dvc in a table. The next step would be drawing lines between the hosts + cdp_local_ints, but I'm not going to bother with this yet - if it is possible at all.

0 Karma

SplunkTrust
SplunkTrust

I think it's a lot easier to use the Sideview Multiplexer for cases like this, than to use the core event_renderer.conf system. For event_renderers you need to write a mako template which is python mixed with html, and set a number of conf keys just right. With the Multiplexer on the other hand it's just the XML itself. You'll find docs about the Multiplexer module inside Sideview Utils itself. (Note that the Multiplexer module wont exist if you only have the really old versions of Sideview Utils on Splunkbase).

Here's the idea though, you give the Multiplexer a field param; in this case you would give it host. You also give it some downstream module config. It can be as simple as a single HTML module, or it can be a bunch of different modules. What the Multiplexer will do then is create one cloned copy of this config, for each value of host that it sees in the search results. The Multiplexer module basically "multiplexes" that downstream config once for every row in the current search results.

Multiplexer is itself pageable using the Sideview Pager module, so it's effectively a very powerful custom renderer, but one for which you don't have to write any custom code (not counting the XML as code of course).

When you're just multiplexing an HTML module it's pretty dead simple. When you want to multiplex a Table or JSChart module though, you have to know how to use postProcess techniques, such that you use postProcess to get different datasets out of a single larger master dataset. Here's an example of a paged, multiplexed, set of paged tables...

This renders a pageable set of sourcetypes, and for each one it renders a Table module showing the sources that comprise that sourcetype.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">* | head 100000 | stats count by sourcetype source</param>
  <param name="earliest">-1h</param>
  <param name="latest">now</param>

  <module name="JobProgressIndicator" />

  <module name="PostProcess">
    <param name="search">dedup sourcetype</param>

    <module name="Pager">
      <param name="count">5</param>

      <module name="Multiplexer">
        <param name="field">sourcetype</param>

        <module name="PostProcess">
          <param name="search">search sourcetype="$sourcetype$" | stats sum(count) as eventCount by source</param>
          <module name="HTML">
            <param name="html"><![CDATA[
              <b>$sourcetype$</b> 
            ]]></param>
          </module>
          <module name="Pager">
            <module name="Table" />
          </module>

        </module>
      </module>
    </module>
  </module>
</module>

In a way it's just as strange as event_renderers.conf, but hopefully you find it useful and many others have.

SplunkTrust
SplunkTrust

No, you'll need the OEM license because the internal use licensing restricts you from distributing that app as a software product to third parties. However if you're planning on never charging for the app, then I do have another option for you that others have done -- email me at nick [at] sideviewapps.com and I can tell you how it works. Basically if you agree to pay the per-project fees if you ever start charging for the app, then you can have a sort of watered-down Sideview OEM license.

0 Karma

Motivator

Nice! I will definitely check it out. This is for an app I am writing which will be released on Splunkbase. Is the full version for internal use OK to use in this case?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!