Dashboards & Visualizations

Having Event Viewer Render the HTML in a Field

ndoshi
Splunk Employee
Splunk Employee

My events have set fields that look like this:

7/9/10 5:00 foo="hi" bar="there" desc="<html><img src="http://server:port/picture.jpg></html>"

Notice that the desc field has HTML within it. What would be the HTML template file such that the first 2 fields and date are rendered as normal in Splunk Web, but the desc field's rendering as interpreted HTML? In other words, instead of showing the raw HTML text, the field is interpreted by the browser and rendered by it.

I assume that this would follow the steps in the docs: http://www.splunk.com/base/Documentation/latest/Developer/EventRendering , but I will need at minimum a HTML template to interpret the data so that it can be rendered properly.

In short, I'm just trying to get Splunk Web in the event viewer to allow the browser to render the HTML for a field that I know will always have proper HTML within it.

Tags (3)

sideview
SplunkTrust
SplunkTrust

If you want all the normal bells and whistles of the EventsViewer module, like with the action menus and workflow-actions and field-clicking behavior and all that then you'll have to get into some complex stuff with a custom event renderer. Here are some docs http://docs.splunk.com/Documentation/Splunk/5.0.1/AdvancedDev/EventRendering

If you're using a relatively recent copy of Sideview Utils though (2.2 or greater), then you can use the Multiplexer module with an HTML module, instead of the EventsViewer. The advantage there is that you don't need any custom code at all - it looks like this:

<module name="Multiplexer">
  <param name="fields">desc</param>

  <module name="HTML">
    <param name="html"><![CDATA[
      <b>this is some static HTML, followed by the HTML in the desc field on the next line</b><br>
      $desc$

    ]]></param>
  </module>
</module>

Multiplexer is definitely a peculiar module. It's not a module anyone needs or uses very often. In fact you can probably get by without ever using it for anything ever. But when you do need it for something, it can be crazy useful. What it will do in this simple example, is create a copy of that HTML module for every row in the current search results, and in each of those cloned HTML modules, the $desc$ key will have the value of the $desc$ field in that row of the search results. You can also multiplex any number of modules so you can next complex configs with PostProcess and JSCharts and really powerful config in there if you ever need it.

There's a decent amount of docs dedicated to Multiplexer in Sideview Utils itself under "Module Documentation > Advanced Modules > The Multiplexer Module"

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...