- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to set a token from a base search in my da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Like previous post I would like interpret code in html.
Just a little change : html in token.
<dashboard>
<label>TEST</label>
<row>
<panel>
<table>
<search>
<query>index=* |stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<finalized >
<condition match=" 'job.resultCount' != 0">
<set token="tok_wimg">Number of results : <BR/>$result.sourcetype$</set>
</condition>
<condition>
<set token="tok_wimg">No result found</set>
</condition>
</finalized >
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg$</h1>
</html>
</panel>
</row>
</dashboard>
How can I see in html
Number of results :
2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/> within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:
<dashboard>
<label>Dashboard Token with HTML</label>
<search id="baseSearch">
<query>index=_internal
| stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<done>
<condition match="$job.resultCount$ == 0">
<set token="tok_wimg_static">No results found</set>
<set token="tok_wimg_dynamic"></set>
</condition>
<condition>
<set token="tok_wimg_static">Number of results :</set>
<set token="tok_wimg_dynamic">$job.resultCount$</set>
</condition>
</done>
</search>
<row>
<panel>
<table>
<search base="baseSearch"></search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg_static$<br/>$tok_wimg_dynamic$</h1>
</html>
</panel>
</row>
</dashboard>
I have retained <br/> withing <html> section and broken down the text to be displayed into two sections (static and dynamic based on number of results).
PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized> as used in your question else use <done> as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized> and <preview> search event handlers have been changed with <done> and <progress> Event Handlers.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/> within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:
<dashboard>
<label>Dashboard Token with HTML</label>
<search id="baseSearch">
<query>index=_internal
| stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<done>
<condition match="$job.resultCount$ == 0">
<set token="tok_wimg_static">No results found</set>
<set token="tok_wimg_dynamic"></set>
</condition>
<condition>
<set token="tok_wimg_static">Number of results :</set>
<set token="tok_wimg_dynamic">$job.resultCount$</set>
</condition>
</done>
</search>
<row>
<panel>
<table>
<search base="baseSearch"></search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg_static$<br/>$tok_wimg_dynamic$</h1>
</html>
</panel>
</row>
</dashboard>
I have retained <br/> withing <html> section and broken down the text to be displayed into two sections (static and dynamic based on number of results).
PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized> as used in your question else use <done> as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized> and <preview> search event handlers have been changed with <done> and <progress> Event Handlers.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally, I use split(field, ",") command in query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes split() function or makemv command will also do. Following is run anywhere search:
| makeresults
| eval field="A,B,C,D"
| makemv field delim=","
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was afraid of this answer. In reality, I have in query replace(field, ",", "<BR/>") but like you say, can actually lead to HTML injection vulnerability.
I search again other possibility
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My field contain "A,B,C,D"
and I want
A
B
C
D
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
