Dashboards & Visualizations

Simple XML: How to display search results within an HTML List?

dc595
Explorer

I'm looking to see if there's a solution to display a search result (1 event) using Simple XML. Is there a token that needs to be set for each return field? I'm using Splunk 6.3

In the required js stack, I noticed the ListElement, but there's isn't much documentation on this. Ideally I would like to display the results within HTML tags, however, alternatives are certainly welcomed.

I would like to display the results like the sudo code below

<row>
<panel>
<html>

FirstName: $result.fname$
LastName: $result.lname$
Email: $result.email$

</html>
</panel>
</row>

Thanks

0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

Hi @dc595,
You might want to try using search tokens. You can use search tokens to access job metadata or information from the first results row returned.

Here is some documentation about working with search tokens:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens#Define_search_tokens

You can also take a look at the Dashboard Examples app to see examples of using tokens with HTML (in particular, the "Custom Token Definitions" example):
https://splunkbase.splunk.com/app/1603/

Hope this helps! Let me know if you need other suggestions.

@frobinson_splunk

View solution in original post

ArthurGautesen
Path Finder

I'd agree with using search tokens. Here is something really simple but works.

<search>
   <query>|inputlookup In_progress.csv | eval Answer="In Progress" | table Answer</query>
   <earliest>-1s@s</earliest>
   <latest>now</latest>
   <finalized>
      <set token="ThisIsMyToken">$result.Answer$</set>
   </finalized>
</search>

This will put the value "In Progress" into the token $ThisIsMyToken$ which we can use in a panel down below.

The token is generated after the query completes, which is why I used a simple inputlookup to do this, and did not bother to collect anything from the .csv file

<row>
   <panel>
      <html>
         <p style="text-align:center; font-size:400%; color: #000000">
            Current Status  

            <div style="color: #73a550">
            $ThisIsMyToken$
            </div>
         </p>
      </html>
   </panel>
   <panel>
      <!-- more content goes here, if needed -->
   </panel>
   <panel>
      <!-- and even more content goes here, but only if needed -->
   </panel>
</row>

The first panel should only display two lines "Current Status" in black, and "In Progress" in green, but both in a larger font size, and centered in the panel.

You could also put a <table> and </table> in between the <html> and </html> objects if you needed to integrate more values in a table structure.

I hope this helps.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @dc595,
You might want to try using search tokens. You can use search tokens to access job metadata or information from the first results row returned.

Here is some documentation about working with search tokens:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens#Define_search_tokens

You can also take a look at the Dashboard Examples app to see examples of using tokens with HTML (in particular, the "Custom Token Definitions" example):
https://splunkbase.splunk.com/app/1603/

Hope this helps! Let me know if you need other suggestions.

@frobinson_splunk

dc595
Explorer

Yes it does help - I just successfully finished testing a panel with your suggestion. Thank you for your help

frobinson_splun
Splunk Employee
Splunk Employee

Awesome!! Really glad this worked for you.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...