Dashboards & Visualizations

How to change image dynamically based on Search results in HTML Panel

niketn
Legend

I want to display different images in HTML panel based on Search results i.e.
1) traffic_green.png when my base search returns 10-20 minutes
2) traffic_yellow.png when the result returned is 21-40 min and
3) traffic_red.png when the result returned is 41-60 min.

I have been able to load the images in HTML Panel using condition match for job.resultCount, however similar code with result.<fieldName> does not work.

Following block based on search result count works fine and sets icon_name to green :

      <condition match="'job.resultCount'>0">
        <set token="icon_name">green</set>
      </condition>

Using <img> attribute fully qualified src path to icon image file is set dynamically with icon_name token set in previous step:

src="/static/app/<AppName>/traffic_$icon_name$.png"

How to write conditional match based on result.<fieldname> instead of job.resultCount?

Following does not work, where fieldname is single value field returned by search:

      <condition match="'result.fieldname'>0">
        <set token="icon_name">green</set>
      </condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
1 Solution

niketn
Legend

I was able to solve it myself using eval event handler in conjunction with condition handler.

The condition handler was used only to set the icon to red if no results found.

The eval handler was used to set the icon to red, yellow or green based on result.<fieldname> value from the Splunk search query and feeding it to case expression. Following is the pseudo code:

<!-- To Handle no result found as display red icon-->
<condition match="'job.resultCount'==0">
     <set token="icon_name">red</set>
</condition>
<!-- Else use eval condition to set icon based on values-->
<condition>
    <eval token="icon_name"> 
           <!-- Write case expression here to set token based on query search result for example 0-20 green, 21-40 yellow and 41+ red -->
    </eval>
</condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

I was able to solve it myself using eval event handler in conjunction with condition handler.

The condition handler was used only to set the icon to red if no results found.

The eval handler was used to set the icon to red, yellow or green based on result.<fieldname> value from the Splunk search query and feeding it to case expression. Following is the pseudo code:

<!-- To Handle no result found as display red icon-->
<condition match="'job.resultCount'==0">
     <set token="icon_name">red</set>
</condition>
<!-- Else use eval condition to set icon based on values-->
<condition>
    <eval token="icon_name"> 
           <!-- Write case expression here to set token based on query search result for example 0-20 green, 21-40 yellow and 41+ red -->
    </eval>
</condition>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello
SplunkTrust
SplunkTrust

To do this see Dashboard Examples App - Table Icon Set (Rangemap).
You have to copy two files in your app and modify your dashboard.
Bye.
Giuseppe

0 Karma

niketn
Legend

I dont want to add icon within Table or any of Splunk Visualization like Single Value or Status Indicator.

I wanted to have dynamic icons directly in HTML Panel. I need help with result.. I am able to do the same with job.resultCount. However, I did not find any example on how to use result.field name.

You can check Set Result Setter under Dashboard Examples to see various Search Tokens have also mentioned result.fieldname.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

correction result.<fieldname>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...