Dashboards & Visualizations

How to change image dynamically based on Search results in HTML Panel

niketn
Legend

I want to display different images in HTML panel based on Search results i.e.
1) traffic_green.png when my base search returns 10-20 minutes
2) traffic_yellow.png when the result returned is 21-40 min and
3) traffic_red.png when the result returned is 41-60 min.

I have been able to load the images in HTML Panel using condition match for job.resultCount, however similar code with result.<fieldName> does not work.

Following block based on search result count works fine and sets icon_name to green :

      <condition match="'job.resultCount'>0">
        <set token="icon_name">green</set>
      </condition>

Using <img> attribute fully qualified src path to icon image file is set dynamically with icon_name token set in previous step:

src="/static/app/<AppName>/traffic_$icon_name$.png"

How to write conditional match based on result.<fieldname> instead of job.resultCount?

Following does not work, where fieldname is single value field returned by search:

      <condition match="'result.fieldname'>0">
        <set token="icon_name">green</set>
      </condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
1 Solution

niketn
Legend

I was able to solve it myself using eval event handler in conjunction with condition handler.

The condition handler was used only to set the icon to red if no results found.

The eval handler was used to set the icon to red, yellow or green based on result.<fieldname> value from the Splunk search query and feeding it to case expression. Following is the pseudo code:

<!-- To Handle no result found as display red icon-->
<condition match="'job.resultCount'==0">
     <set token="icon_name">red</set>
</condition>
<!-- Else use eval condition to set icon based on values-->
<condition>
    <eval token="icon_name"> 
           <!-- Write case expression here to set token based on query search result for example 0-20 green, 21-40 yellow and 41+ red -->
    </eval>
</condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

I was able to solve it myself using eval event handler in conjunction with condition handler.

The condition handler was used only to set the icon to red if no results found.

The eval handler was used to set the icon to red, yellow or green based on result.<fieldname> value from the Splunk search query and feeding it to case expression. Following is the pseudo code:

<!-- To Handle no result found as display red icon-->
<condition match="'job.resultCount'==0">
     <set token="icon_name">red</set>
</condition>
<!-- Else use eval condition to set icon based on values-->
<condition>
    <eval token="icon_name"> 
           <!-- Write case expression here to set token based on query search result for example 0-20 green, 21-40 yellow and 41+ red -->
    </eval>
</condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello
SplunkTrust
SplunkTrust

To do this see Dashboard Examples App - Table Icon Set (Rangemap).
You have to copy two files in your app and modify your dashboard.
Bye.
Giuseppe

0 Karma

niketn
Legend

I dont want to add icon within Table or any of Splunk Visualization like Single Value or Status Indicator.

I wanted to have dynamic icons directly in HTML Panel. I need help with result.. I am able to do the same with job.resultCount. However, I did not find any example on how to use result.field name.

You can check Set Result Setter under Dashboard Examples to see various Search Tokens have also mentioned result.fieldname.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

correction result.<fieldname>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...