Dashboards & Visualizations

Custom event rendering via event_renderers.conf does not work with all views

loudsong
Explorer

I'm trying to build a minimalistic splunk view that resembles the look of a text editor. I want a search bar at the top, and raw events below, and little else.

To this end, I'm trying to use custom event rendering so i can render events without the column that shows splunk's timestamps. I've created an event_renderers.conf file and an eventtype that I use to identify the events I want to custom event rendering for. The custom event rendering works when using the built in splunk search app, but the same config does not work on my own app, and I'm not sure why. Here's what I've configured:

# etc/apps/awtest2/local/event_renderers.conf
[awrenderer]
eventtype = frederick
priority = 201
css_class = awrenderer

# etc/apps/awtest2/local/eventtypes.conf
[frederick]
search = index=frederick rule

So, my expectation is that for events that match eventtype=frederick would be rendered with a CSS class that looks like this:

<li class="item default splEvent-awrenderer" .....

But from my testing, there is something in the view XML itself that is required to make this work. For example, I set up a very simple view that is basically just a SearchBar and an EventsViewer. My view looks something like this (lots of lines removed for readability's sake):

<module name="SearchBar" layoutPanel="mainSearchControls">
  <module name="FlashTimeline" layoutPanel="graphArea">
    <module name="Paginator">
  <module name="EventsViewer">

But with this view, the custom event rendering did not take place. The resulting html for the event looks like this:

<li class="item default splEvent-__undefined__" .....

However, if I make a copy of the flashtimeline.xml view from the default splunk search app and stick that in my app, the event rendering works fine using that view:

# The myflashtimeline.xml in my file exactly matches the Splunk search app's flashtimeline.xml file
root@splunk:/opt/splunk/etc/apps# diff search/default/data/ui/views/flashtimeline.xml awtest2/default/data/ui/views/myflashtimeline.xml 
root@splunk:/opt/splunk/etc/apps#

And using that view, the custom rendering works, and I see my CSS class show up:

<li class="item default splEvent-awrenderer" .....

So, both views here are in the same app, and are using the same event_renders.conf file and eventtypes.conf file. Yet, custom event rendering works for one view, but not the other. It seems that something in the view is making the custom event rendering work, but I don't know what it is, and the docs don't mention anything that needs configuring in the view for this to work.

Can anyone help?

0 Karma

nmistry_splunk
Splunk Employee
Splunk Employee

By default splunk disables field extractions for certain fields. One of these fields, eventtype, is used by custom event render. I would update the search to include '...| fields eventtype' field and you should have the custom rendering working.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...