I have a static table on a dashboard-panel. I was hoping someone could help me pass the result from a search into a
<td> tag. I have a sample code below (sample only, my working search is much more complicated)
| makeresults | eval SomeField = "Hello World" | table SomeField
Which results to
SomeField Hello World
My intention is to pass the result (Hello World) into a cell in my static table, like
I understand that Splunk's default input fields have this Dynamic Options where you write the search string, choose the field for label and then field for value where you can use its
$token$ to pass / append the result into a search string. Can I do the same programmatically on the source code of the dashboard and have the result appear on a
<td> or a particular cell of my static HTML table?
Is this possible? If so, can I ask for like a working HTML code? Thanks in advance.
@morethanyell , while what you are asking is possible with Splunk, I think you are complicating the use case by trying to go after tokens and modify table which would through Simple XML JS extension.
Before I can tell you your options, in your existing search you have used eventstats command where you should have actually used stats command instead i.e.
index=foo sourcetype=bar | stats count as SomeField
You do not need eventstats which is streaming command and adds a new field to each event, then later perform dedup. Stats does the job of taking care of your usecase.
Following are your options
Option 1: Use appendcols command and run both searches in one SPL. Following is a run anywhere example based on Splunk's _internal and _audit index.
index=_internal sourcetype=splunkd | stats count as someField1 | appendcols [search index=_audit sourcetype=audittrail | stats count as someField2]
index=_internal sourcetype=splunkd | stats count as someField1 | appendcols [ | makeresults | fields - _time | eval someField2=$youtTokenGoesHere$]
Option 3: Use
Simple XML JS Extension with Splunk JS Stack to add a Custom Table Renderer and through Token Model access and add Token to the Table. Since this is a complex approach please try first two options and confirm whether this is the route you want to take. You can refer to Splunk Dashboard Examples app for Custom Table Renderer using Simple XML JS Extension. Following is an answer on similar lines where JS Is used to split Single Column into two: https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...
In case none of the options work for you, then you would need to add more details on how your second token is being set and what is the query behind the same. If both the queries run on the same index and same sourcetype, then you might have easier solution where single search can populate both values without event correlation/grouping.
Hello, niketnilay. Thank you very much for your substantial answer. I am so sorry tho if I made my question very vague. the sample code I placed (the one with eventstats) is just rubbish. I don't actually need that.
I have edited my question and added a photo so I can make it even clearer.
I figured it out 🙂
<search> <query>| makeresults | eval SomeField = "Hello World" | table SomeField</query> <earliest>0</earliest> <latest>now</latest> <done> <set token="search_results">$result.SomeField$</set> </done> </search> . . . ...<td>$search_results$</td>
@morethanyell if there are fixed number of rows in your static table and if this is single piece of information you need to add then this should work. Glad you were able to figure out the solution by yourself!