Solved: Re: Simple XML: How to display search results with...

dc595 · ‎11-10-2015

I'm looking to see if there's a solution to display a search result (1 event) using Simple XML. Is there a token that needs to be set for each return field? I'm using Splunk 6.3

In the required js stack, I noticed the ListElement, but there's isn't much documentation on this. Ideally I would like to display the results within HTML tags, however, alternatives are certainly welcomed.

I would like to display the results like the sudo code below

<row>
<panel>
<html>

FirstName: $result.fname$
LastName: $result.lname$
Email: $result.email$

</html>
</panel>
</row>

Thanks

frobinson_splun · ‎11-10-2015

Hi @dc595,
You might want to try using search tokens. You can use search tokens to access job metadata or information from the first results row returned.

Here is some documentation about working with search tokens:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens#Define_search_tokens

You can also take a look at the Dashboard Examples app to see examples of using tokens with HTML (in particular, the "Custom Token Definitions" example):
https://splunkbase.splunk.com/app/1603/

Hope this helps! Let me know if you need other suggestions.

@frobinson_splunk

View solution in original post

ArthurGautesen · ‎11-17-2015

I'd agree with using search tokens. Here is something really simple but works.

<search>
   <query>|inputlookup In_progress.csv | eval Answer="In Progress" | table Answer</query>
   <earliest>-1s@s</earliest>
   <latest>now</latest>
   <finalized>
      <set token="ThisIsMyToken">$result.Answer$</set>
   </finalized>
</search>

This will put the value "In Progress" into the token $ThisIsMyToken$ which we can use in a panel down below.

The token is generated after the query completes, which is why I used a simple inputlookup to do this, and did not bother to collect anything from the .csv file

<row>
   <panel>
      <html>
         <p style="text-align:center; font-size:400%; color: #000000">
            Current Status  

            <div style="color: #73a550">
            $ThisIsMyToken$
            </div>
         </p>
      </html>
   </panel>
   <panel>
      <!-- more content goes here, if needed -->
   </panel>
   <panel>
      <!-- and even more content goes here, but only if needed -->
   </panel>
</row>

The first panel should only display two lines "Current Status" in black, and "In Progress" in green, but both in a larger font size, and centered in the panel.

You could also put a <table> and </table> in between the <html> and </html> objects if you needed to integrate more values in a table structure.

I hope this helps.

frobinson_splun · ‎11-10-2015

Hi @dc595,
You might want to try using search tokens. You can use search tokens to access job metadata or information from the first results row returned.

Here is some documentation about working with search tokens:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Viz/tokens#Define_search_tokens

You can also take a look at the Dashboard Examples app to see examples of using tokens with HTML (in particular, the "Custom Token Definitions" example):
https://splunkbase.splunk.com/app/1603/

Hope this helps! Let me know if you need other suggestions.

@frobinson_splunk

dc595 · ‎11-11-2015

Yes it does help - I just successfully finished testing a panel with your suggestion. Thank you for your help

frobinson_splun · ‎11-11-2015

Awesome!! Really glad this worked for you.

Simple XML: How to display search results within an HTML List?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor