Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Horizontally grouping modules without extra text/titles?

ahall_splunk
Splunk Employee
Splunk Employee
‎03-23-2011 06:05 PM

I want to be able to group 3 SingleValues modules horizontally, as part of a post-process, so I have:

stats count
Count
count

... repeated three times with different values after the grpX. I want to group these. I've tried module StaticContentSample, that requires a "text" field and always displays some text. I've also tried the GenericHeader, that requires a "label" field and always displays a header.

Is there a way to get the grouping without the associated text/label?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎03-23-2011 06:25 PM

Yeah - I thought of that, but that still produces a title based on the "group=" information.

I did find the information, which is to use NullModule

<module name="NullModule" layoutPanel="panel_row2_col1" autoRun="True">
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1" autoRun="True">
...
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2" autoRun="True">
...
</module>
</module>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎03-23-2011 06:25 PM

Yeah - I thought of that, but that still produces a title based on the "group=" information.

I did find the information, which is to use NullModule

<module name="NullModule" layoutPanel="panel_row2_col1" autoRun="True">
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp1" autoRun="True">
...
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row2_col1_grp2" autoRun="True">
...
</module>
</module>
0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2011 12:48 PM

And again you really want to get those extra autoRun="True" attributes out of there. Leave only the topmost one on the NullModule.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎07-29-2011 04:33 PM

just fyi, the "foo" title that comes from modules having group="foo" attributes is not related at all to the "grpN" part of the layoutPanel attributes. Maybe I'm missing something though.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎03-23-2011 06:22 PM

We do something similar to this in ESS. You can use the layoutPanel format of "panel_rowX_colY_grpZ". 

<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" autoRun="True" group="Notable Events by ESS Domain">
<param name="savedSearch">ESS - Notable Events by Domain</param>
<param name="useHistory">Auto</param>
<module name="SimpleResultsHeader">
  <param name="entityName">scanned</param>
  <param name="headerFormat">%(count)s events scanned $time$</param>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp1">
  <param name="search">search security_domain=access | `notable_rangemap_access` | eval label="Access: ".count</param>
  <module name="EnablePreview">
    <param name="display">false</param>
    <param name="enable">true</param>
    <module name="SingleValue">
      <param name="field">label</param>
      <param name="classField">range</param>
      <param name="linkSearch">`notable` | search $statusToken$ $urgencyToken$ $securityDomainToken$ $governanceToken$ | search security_domain=access</param>
      <param name="linkView">incident_review</param>
    </module>
  </module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp2">
  <param name="search">search security_domain=endpoint | `notable_rangemap_endpoint` | eval label="Endpoint: ".count</param>
  <module name="EnablePreview">
    <param name="display">false</param>
    <param name="enable">true</param>
    <module name="SingleValue">
      <param name="field">label</param>
      <param name="classField">range</param>
      <param name="linkSearch">`notable` | search $statusToken$ $urgencyToken$ $securityDomainToken$ $governanceToken$ | search security_domain=endpoint</param>
      <param name="linkView">incident_review</param>
    </module>
  </module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1_grp3">
  <param name="search">search security_domain=network | `notable_rangemap_network` | eval label="Network: ".count</param>
  <module name="EnablePreview">
    <param name="display">false</param>
    <param name="enable">true</param>
    <module name="SingleValue">
      <param name="field">label</param>
      <param name="classField">range</param>
      <param name="linkSearch">`notable` | search $statusToken$ $urgencyToken$ $securityDomainToken$ $governanceToken$ | search security_domain=network</param>
      <param name="linkView">incident_review</param>
    </module>
  </module>
</module>
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...