Dashboards & Visualizations

Fetch results from a form search

Stefan_van_de_R
Explorer

Hi,

I made a simple form search like showed in the Splunk documentation (http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm).

Is it possible to fetch the results from this search and render it without using the element?
For example, is it possible to do something like IP Address $src_ip$ is binded with MAC Address $src_mac$

sourcetype="DHCP_Log" AND src_ip = $src_ip$ AND src_mac != '' | sort -_time | head 1 | fields src_ip,src_mac
*
false 1

Thanks!

Regards, Stefan

Tags (2)
0 Karma

Stefan_van_de_R
Explorer

Thanks for your reply. At then end I used Sideview Utils to extract the results.

<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
    <label>IP / MAC</label>
    <module name="AccountBar" layoutPanel="appHeader" />
    <module name="AppBar" layoutPanel="appHeader" />
    <module name="SideviewUtils" layoutPanel="appHeader" />

    <module name="HTML" layoutPanel="viewHeader">
            <param name="html"><![CDATA[
                    <h1>Lookup IP and MAC addresses</h1>
            ]]></param>
    </module>

    <module name="TextField" layoutPanel="panel_row1_col1" autoRun="False">
            <param name="name">selectedReport</param>
            <param name="label">Lookup IP/MAC</param>

            <module name="Search" layoutPanel="panel_row2_col1" group="Device information">
                    <param name="search">sourcetype=DHCP_Log AND (src_ip = $selectedReport$ AND src_mac != '') OR (src_ip != '' AND src_mac = $selectedReport$) | head 1</param>
                    <param name="earliest">-120min</param>

                    <module name="HTML">
                            <param name="html"><![CDATA[
                                    <div>IP Address: $results[0].src_ip$<br />
                                    MAC Address: $results[0].src_mac$<br />
                                    </div>
                            ]]></param>
                    </module>
            </module>
    </module>

0 Karma

Ayn
Legend

Not to my knowledge, but what you can do is eval a field to contain the text that you want. Like:

sourcetype="DHCP_Log" AND src_ip = $src_ip$ AND src_mac != '' | sort -_time | head 1 | eval msg="IP Address ".src_ip." is binded with MAC Address ".src_mac | fields msg
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...