Dashboards & Visualizations

Horizontally grouping modules without extra text/titles?

ahall_splunk
Splunk Employee
Splunk Employee

I want to be able to group 3 SingleValues modules horizontally, as part of a post-process, so I have:

stats count
Count
count

... repeated three times with different values after the grpX. I want to group these. I've tried module StaticContentSample, that requires a "text" field and always displays some text. I've also tried the GenericHeader, that requires a "label" field and always displays a header.

Is there a way to get the grouping without the associated text/label?

Tags (1)
0 Karma
1 Solution

ahall_splunk
Splunk Employee
Splunk Employee

Yeah - I thought of that, but that still produces a title based on the "group=" information.

I did find the information, which is to use NullModule

<module name="NullModule" layoutPanel="panel_row2_col1" autoRun="True">
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1" autoRun="True">
...
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2" autoRun="True">
...
</module>
</module>

View solution in original post

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Yeah - I thought of that, but that still produces a title based on the "group=" information.

I did find the information, which is to use NullModule

<module name="NullModule" layoutPanel="panel_row2_col1" autoRun="True">
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1" autoRun="True">
...
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2" autoRun="True">
...
</module>
</module>
0 Karma

sideview
SplunkTrust
SplunkTrust

And again you really want to get those extra autoRun="True" attributes out of there. Leave only the topmost one on the NullModule.

0 Karma

sideview
SplunkTrust
SplunkTrust

just fyi, the "foo" title that comes from modules having group="foo" attributes is not related at all to the "grpN" part of the layoutPanel attributes. Maybe I'm missing something though.

0 Karma

hazekamp
Builder

We do something similar to this in ESS. You can use the layoutPanel format of "panel_rowX_colY_grpZ".

<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" autoRun="True" group="Notable Events by ESS Domain">
<param name="savedSearch">ESS - Notable Events by Domain</param>
<param name="useHistory">Auto</param>
<module name="SimpleResultsHeader">
  <param name="entityName">scanned</param>
  <param name="headerFormat">%(count)s events scanned $time$</param>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1">
  <param name="search">search security_domain=access | `notable_rangemap_access` | eval label="Access: ".count</param>
  <module name="EnablePreview">
    <param name="display">false</param>
    <param name="enable">true</param>
    <module name="SingleValue">
      <param name="field">label</param>
      <param name="classField">range</param>
      <param name="linkSearch">`notable` | search $statusToken$ $urgencyToken$ $securityDomainToken$ $governanceToken$ | search security_domain=access</param>
      <param name="linkView">incident_review</param>
    </module>
  </module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp2">
  <param name="search">search security_domain=endpoint | `notable_rangemap_endpoint` | eval label="Endpoint: ".count</param>
  <module name="EnablePreview">
    <param name="display">false</param>
    <param name="enable">true</param>
    <module name="SingleValue">
      <param name="field">label</param>
      <param name="classField">range</param>
      <param name="linkSearch">`notable` | search $statusToken$ $urgencyToken$ $securityDomainToken$ $governanceToken$ | search security_domain=endpoint</param>
      <param name="linkView">incident_review</param>
    </module>
  </module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp3">
  <param name="search">search security_domain=network | `notable_rangemap_network` | eval label="Network: ".count</param>
  <module name="EnablePreview">
    <param name="display">false</param>
    <param name="enable">true</param>
    <module name="SingleValue">
      <param name="field">label</param>
      <param name="classField">range</param>
      <param name="linkSearch">`notable` | search $statusToken$ $urgencyToken$ $securityDomainToken$ $governanceToken$ | search security_domain=network</param>
      <param name="linkView">incident_review</param>
    </module>
  </module>
</module>
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...