I'm trying to build a minimalistic splunk view that resembles the look of a text editor. I want a search bar at the top, and raw events below, and little else.
To this end, I'm trying to use custom event rendering so i can render events without the column that shows splunk's timestamps. I've created an event_renderers.conf file and an eventtype that I use to identify the events I want to custom event rendering for. The custom event rendering works when using the built in splunk search app, but the same config does not work on my own app, and I'm not sure why. Here's what I've configured:
But from my testing, there is something in the view XML itself that is required to make this work. For example, I set up a very simple view that is basically just a SearchBar and an EventsViewer. My view looks something like this (lots of lines removed for readability's sake):
However, if I make a copy of the flashtimeline.xml view from the default splunk search app and stick that in my app, the event rendering works fine using that view:
# The myflashtimeline.xml in my file exactly matches the Splunk search app's flashtimeline.xml file
root@splunk:/opt/splunk/etc/apps# diff search/default/data/ui/views/flashtimeline.xml awtest2/default/data/ui/views/myflashtimeline.xml
And using that view, the custom rendering works, and I see my CSS class show up:
So, both views here are in the same app, and are using the same event_renders.conf file and eventtypes.conf file. Yet, custom event rendering works for one view, but not the other. It seems that something in the view is making the custom event rendering work, but I don't know what it is, and the docs don't mention anything that needs configuring in the view for this to work.
By default splunk disables field extractions for certain fields. One of these fields, eventtype, is used by custom event render. I would update the search to include '...| fields eventtype' field and you should have the custom rendering working.