Dashboards & Visualizations

Is it possible for a search result to be manually added to a static HTML table on Dashboard?

morethanyell
Builder

I have a static table on a dashboard-panel. I was hoping someone could help me pass the result from a search into a <td> tag. I have a sample code below (sample only, my working search is much more complicated)

| makeresults
| eval SomeField = "Hello World"
| table SomeField

Which results to

SomeField
Hello World

My intention is to pass the result (Hello World) into a cell in my static table, like <td>Hello World</td>.

I understand that Splunk's default input fields have this Dynamic Options where you write the search string, choose the field for label and then field for value where you can use its$token$ to pass / append the result into a search string. Can I do the same programmatically on the source code of the dashboard and have the result appear on a <td> or a particular cell of my static HTML table?

Is this possible? If so, can I ask for like a working HTML code? Thanks in advance.

alt text

0 Karma
1 Solution

morethanyell
Builder

I figured it out 🙂

<search>
 <query>| makeresults | eval SomeField = "Hello World" | table SomeField</query>
 <earliest>0</earliest>
 <latest>now</latest>
 <done>
   <set token="search_results">$result.SomeField$</set>
 </done>
</search>
.
.
.
...<td>$search_results$</td>

View solution in original post

0 Karma

morethanyell
Builder

I figured it out 🙂

<search>
 <query>| makeresults | eval SomeField = "Hello World" | table SomeField</query>
 <earliest>0</earliest>
 <latest>now</latest>
 <done>
   <set token="search_results">$result.SomeField$</set>
 </done>
</search>
.
.
.
...<td>$search_results$</td>
0 Karma

niketn
Legend

@morethanyell if there are fixed number of rows in your static table and if this is single piece of information you need to add then this should work. Glad you were able to figure out the solution by yourself!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@morethanyell , while what you are asking is possible with Splunk, I think you are complicating the use case by trying to go after tokens and modify table which would through Simple XML JS extension.

Before I can tell you your options, in your existing search you have used eventstats command where you should have actually used stats command instead i.e.

 index=foo sourcetype=bar
 | stats count as SomeField

You do not need eventstats which is streaming command and adds a new field to each event, then later perform dedup. Stats does the job of taking care of your usecase.
Following are your options

Option 1: Use appendcols command and run both searches in one SPL. Following is a run anywhere example based on Splunk's _internal and _audit index.

index=_internal sourcetype=splunkd
| stats count as someField1
| appendcols [search index=_audit sourcetype=audittrail
| stats count  as someField2]

Option 2: Use appendcols command with makeresults generating command to token set from other place (input/event handlers etc).

index=_internal sourcetype=splunkd
| stats count as someField1
| appendcols [ | makeresults
| fields - _time
| eval someField2=$youtTokenGoesHere$]

Option 3: Use Simple XML JS Extension with Splunk JS Stack to add a Custom Table Renderer and through Token Model access and add Token to the Table. Since this is a complex approach please try first two options and confirm whether this is the route you want to take. You can refer to Splunk Dashboard Examples app for Custom Table Renderer using Simple XML JS Extension. Following is an answer on similar lines where JS Is used to split Single Column into two: https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...

In case none of the options work for you, then you would need to add more details on how your second token is being set and what is the query behind the same. If both the queries run on the same index and same sourcetype, then you might have easier solution where single search can populate both values without event correlation/grouping.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

morethanyell
Builder

Hello, niketnilay. Thank you very much for your substantial answer. I am so sorry tho if I made my question very vague. the sample code I placed (the one with eventstats) is just rubbish. I don't actually need that.

I have edited my question and added a photo so I can make it even clearer.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...