Dashboards & Visualizations

How to set a token from a base search in my dashboard to be consumed in an HTML panel?

mclane1
Path Finder

Hello,
Like previous post I would like interpret code in html.
Just a little change : html in token.

<dashboard>
   <label>TEST</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=* |stats count by sourcetype</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
           <finalized >
                     <condition match=" 'job.resultCount' != 0">
                             <set token="tok_wimg">Number of results : &lt;BR/&gt;$result.sourcetype$</set>
                         </condition>
                         <condition>
                             <set token="tok_wimg">No result found</set>
                         </condition>
           </finalized >           
         </search>
         <option name="wrap">true</option>
         <option name="rowNumbers">false</option>
         <option name="drilldown">cell</option>
         <option name="dataOverlayMode">none</option>
         <option name="count">10</option>
       </table>
     </panel>
   </row>
   <row>
     <panel>
       <html>
       <h1>$tok_wimg$</h1>
     </html>
     </panel>
   </row>
 </dashboard>

How can I see in html

Number of results :
2

Tags (1)
0 Karma
1 Solution

niketnilay
Legend

@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/> within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:

<dashboard>
  <label>Dashboard Token with HTML</label>
    <search id="baseSearch">
      <query>index=_internal
| stats count by sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>
      <done>
        <condition match="$job.resultCount$ == 0">
          <set token="tok_wimg_static">No results found</set>
          <set token="tok_wimg_dynamic"></set>
        </condition>
        <condition>
          <set token="tok_wimg_static">Number of results :</set>
          <set token="tok_wimg_dynamic">$job.resultCount$</set>
        </condition>
      </done>
    </search>  
    <row>
      <panel>
        <table>
          <search base="baseSearch"></search>
          <option name="wrap">true</option>
          <option name="rowNumbers">false</option>
          <option name="drilldown">cell</option>
          <option name="dataOverlayMode">none</option>
          <option name="count">10</option>
        </table>
      </panel>
    </row>
    <row>
      <panel>
        <html>
        <h1>$tok_wimg_static$&lt;br/&gt;$tok_wimg_dynamic$</h1>
      </html>
      </panel>
    </row>
  </dashboard>

I have retained <br/> withing <html> section and broken down the text to be displayed into two sections (static and dynamic based on number of results).

PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized> as used in your question else use <done> as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized> and <preview> search event handlers have been changed with <done> and <progress> Event Handlers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketnilay
Legend

@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/> within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:

<dashboard>
  <label>Dashboard Token with HTML</label>
    <search id="baseSearch">
      <query>index=_internal
| stats count by sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>
      <done>
        <condition match="$job.resultCount$ == 0">
          <set token="tok_wimg_static">No results found</set>
          <set token="tok_wimg_dynamic"></set>
        </condition>
        <condition>
          <set token="tok_wimg_static">Number of results :</set>
          <set token="tok_wimg_dynamic">$job.resultCount$</set>
        </condition>
      </done>
    </search>  
    <row>
      <panel>
        <table>
          <search base="baseSearch"></search>
          <option name="wrap">true</option>
          <option name="rowNumbers">false</option>
          <option name="drilldown">cell</option>
          <option name="dataOverlayMode">none</option>
          <option name="count">10</option>
        </table>
      </panel>
    </row>
    <row>
      <panel>
        <html>
        <h1>$tok_wimg_static$&lt;br/&gt;$tok_wimg_dynamic$</h1>
      </html>
      </panel>
    </row>
  </dashboard>

I have retained <br/> withing <html> section and broken down the text to be displayed into two sections (static and dynamic based on number of results).

PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized> as used in your question else use <done> as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized> and <preview> search event handlers have been changed with <done> and <progress> Event Handlers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

mclane1
Path Finder

Finally, I use split(field, ",") command in query.

niketnilay
Legend

Yes split() function or makemv command will also do. Following is run anywhere search:

| makeresults
| eval field="A,B,C,D"
| makemv field delim=","
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mclane1
Path Finder

I was afraid of this answer. In reality, I have in query replace(field, ",", "<BR/>") but like you say, can actually lead to HTML injection vulnerability.
I search again other possibility

0 Karma

mclane1
Path Finder

My field contain "A,B,C,D"
and I want

A
B
C
D
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!