dynamic display of data in advance XML ???

rakesh_498115 · ‎09-24-2012

Hi ..

I have used the following script in my Advance XML ,HTML Module to display the data dynamically in html..

<html>    
<script type="text/javascript">
function myFunction(no)
{
var i=0;
var data="";
data="<table border='1' width='50%'>";
for(i=0;i<no;i++)
{
data+="<tr><td>$results["+i+"].count$</td></tr>";
}
data+="</table>";
document.getElementById("display").innerHTML=data;
}
</script>
</html>

and I have called this function in one more html module to display the search query results like this..

<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" autoRun="True" group="SITE">   
<param name="search">soucetype="X"  "Request" | top Field | fields - percent </param>
<module name="HTML">
<param name="html">
  <![CDATA[
  <div id="display"></div>
 <input type="button" onclick="myFunction(4)" value="Click Me"/>
 ]]>
</param>
</module>
</module>

Here in the myFunction Call i have used to 4 . This value will be the dynamic value will be changed according to the total events in my search query for the count field. But i am not getting the results ..please help..

If i normal use in the HTML module ..like this..

<table>
<tr><td>$results[0].count$</td></tr>
<tr><td>$results[1].count$</td></tr>
<tr><td>$results[2].count$</td></tr>
</table>

i am gettin the values ..how can i make this dynamic....ie how can i make the results[].count dynamic..ie according the total values of the field count..

Since As many of you suggested the given javascript code doesnt work ,I wanted you to suggest a solution for my usecase .

USE-CASE : For Dynamic Display of data in Advance XML

Sample Log :
………

MS1
1
1 </ Current >
1</ Pending >
1
FALSE</ ConsumptionPause >
FALSE</ ProductionPause >
FALSE</ InsertionPause >

MS2
1
1 </ Current >
1</ Pending >
1
FALSE</ ConsumptionPause >
FALSE</ ProductionPause >
FALSE</ InsertionPause >

MS3
1
1 </ Current >
1</ Pending >
1
FALSE</ ConsumptionPause >
FALSE</ ProductionPause >
FALSE</ InsertionPause >

MS4
1
1 </ Current >
1</ Pending >
1
FALSE</ ConsumptionPause >
FALSE</ ProductionPause >
FALSE</ InsertionPause >

……….
………..
…………

This is my sample log which shows the details of all the queues . Here I have included only one queue Queue1 , It has four servers say MS1,MS2,MS3 and MS4 from the log.

Now I need to run a search query which gives the me the following ouput .

Output ::

For a Single Queue 1 :

Queue1 table

Queue1 MS1 MS2 MS3 MS4
Consumer 1 1 1 1
Current 0 0 0 0
Pending 0 0 0 0
High 0 0 0 0
Received 0 0 0 0
Consumption Pause FALSE FALSE FALSE FALSE
Production Pause FALSE FALSE FALSE FALSE
Insertion Pause FALSE FALSE FALSE FALSE

The above table format clearly tells me that for a queue say Queue1 ,They are certain values associacted with the four servers MS1,MS2,MS3 and MS4 . All the values for the fields Consumer,Current,Pending, High,Received, Consumption Pause, Production Pause , Insertion Pause can be taken from the from the log .

Now In my log if I have one more queue Say Queue2 , those queue details have to shown in another table . i.e depending upon the no of Queue’s in my log . I need to generate that no of table views for each and every queue.My log records may contain ‘N’ no of queues say Queue1,Queue2,……QueueN . ,For all these Queues I need to show those properties in a table view.

In addition to this I need a manual intervention to selection which queues to displayed from the search query.i.e something I will be giving the details in Queue.csv lookup file

Like this .

QueueName,Display
Queue1,Y
Queue2,N
Queue3,Y
Queue4,N
……
…….
……..
QueueN,N

Here in the lookup file QueueName tells the details of the all the queues available and Display field tells the whether the queue has to be displayed in the seach result or not

i.e Lets Take in my logs I have 5 queues Queue1, Queue2, and Queue3,Queue4,Queue5 and my lookup file Queue.csv is something like this

Queue.csv

QueueName,Display
Queue1,Y
Queue2,N
Queue3,Y
Queue4,N
Queue5,Y

i.e from the lookup table , it is clear that i need the queues Queue1,Queue3 and Queue5 must be displayed .

So my search query should now result in to three table views for these three queues Queue1,Queue3 and Queue5 as follows,

Queue1 table

Queue1 MS1 MS2 MS3 MS4
Consumer 1 1 1 1
Current 0 0 0 0
Pending 0 0 0 0
High 0 0 0 0
Received 0 0 0 0
Consumption Pause FALSE FALSE FALSE FALSE
Production Pause FALSE FALSE FALSE FALSE
Insertion Pause FALSE FALSE FALSE FALSE

Queue3 table

Queue3 MS1 MS2 MS3 MS4
Consumer 1 1 1 1
Current 0 0 0 0
Pending 0 0 0 0
High 0 0 0 0
Received 0 0 0 0
Consumption Pause FALSE FALSE FALSE FALSE
Production Pause FALSE FALSE FALSE FALSE
Insertion Pause FALSE FALSE FALSE FALSE

Queue5 table

Queue5 MS1 MS2 MS3 MS4
Consumer 1 1 1 1
Current 0 0 0 0
Pending 0 0 0 0
High 0 0 0 0
Received 0 0 0 0
Consumption Pause FALSE FALSE FALSE FALSE
Production Pause FALSE FALSE FALSE FALSE
Insertion Pause FALSE FALSE FALSE FALSE

Is this possible in splunk ?? or can you suggest any approach to show the data in the table views as shown above ?? .

sideview · ‎10-12-2012

No, I'm afraid it doesn't work that way. And to be precise, $results.count$ strictly speaking is not the length of any results array - it's the number reported by the Splunk Search API for the number of search result rows.

rakesh_498115 · ‎10-11-2012

Hi Jason..$results.count$ is giving the length of the results array..Can we pass this entire results array to the javascript function ??

sideview · ‎10-04-2012

Well, to make a long story short this approach here won't work. I mean, you can certainly write some custom Javascript and you can make that custom Javascript do things when the user interacts with the HTML. However what this script will do is write in literal HTML that looks like:

<tr><td>$results[0].count$</td></tr>

meaning that the tablecell contents will be literally $results[0].count$, with no substitution from the count field. It's the HTML module's Javascript that does all the fancy $token$ substitution, and you're basically defeating all that code by taking control of things yourself.

However, if we think of this question simply as -- I want to render a table but I don't know how many values there will be, there's of course the obvious answer of:

<module name="Pager">
  <module name="SimpleResultsTable">
    <param name="displayRowNumbers">False</param>
    <param name="entityName">results</param>
  </module>
</module>

Presumably something about that doesn't work for you. But can we start there and can you describe what it was that led you to start investigating the HTML module for this sort of thing instead? Because I think there's probably a way to get to where you want to go, and although it probably doesn't involve writing custom JS trying to rewrite the HTML directly, I'm more than happy to help you find it.

UPDATE::

Adding this update after the details were posted, and after I'd mentioned the multiplexer module.
Multiplexer is a very advanced Sideview module as well as being very new. So you're going to have to promise me that you'll go in latest Sideview Utils and read "Key Techniques > Overview of the Advanced XML" a couple times through. If you haven't already that is.

As to your problem, it has two parts really. There's the part of how to you turn the indexed XML into well behaved search result rows. I'm going to assume that you have this part well in hand. Specifically I'm going to assume that you're extracting all this data as "queue", "server" and a third field that's something like "category". Values of what I'm calling "category" for example are "Current", "Pending", "Production Pause". (( Shoot... actually your question has some cells in the table as integers, and some as True/False. This might be a copout but ultimately I'm going to treat that as part of the search-language side of the problem, not the UI side))

So, assuming the indexing and extraction and search language part is taken care of, I'm going to transpose the rest of the problem over to another space of fields.

This search should yield results in every splunk instance and it's an analogue of your situation. there are three fields - "file", "clientup" and "status", and there's lots of unique combinations of all three.

index=_internal sourcetype=splunk_web_access NOT /en-US/splunkd/services/search status=* | stats count by file clientip status

Thus transposed, your question becomes here a question of -- how can I show one table for every value of "file", and for each of those tables I want a header above the table saying what file it is, and I want to have the table show clientips down the left side, and status values across the top -- basically each table should look like "chart count over clientip by status" for that one particular file.

Here's the answer:

<module name="Search" layoutPanel="panel_row1_col1" group="rakesh example" autoRun="True">
  <param name="search">index=_internal sourcetype=splunk_web_access NOT /en-US/splunkd/services/search status=* | stats count by file clientip status</param>
  <param name="earliest">-4h</param>
  <param name="latest">now</param>

  <module name="JobProgressIndicator" />

  <module name="Pager">
    <module name="Multiplexer">
      <param name="field">file</param>
      <!-- Multiplexer can only have one child and it creates one deep clone
      of that child PER value of the given field. 
      When put inside Pager like this (see the Pager just upstream from 
      Multiplexer), the Multiplexed UI will be paged.
      -->
      <module name="PostProcess">
        <param name="search">search file="$file$" | chart sum(count) as count over clientip by status</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            <h2>$file$</h2>
            search file="$file$" | chart sum(count) as count over clientip by status
          ]]></param>
        </module>

        <module name="Paginator">
          <module name="Table"/>
        </module>
      </module>
    </module>    
  </module>
</module>

Some Fiddly Technical Notes:

I used a Paginator as the second Pager because there are some bugs I only just found in Pager, that only come out in situations where a Pager is nested inside a Pager. The workaround is to just use the Paginator module as the innermost of the two, which is what I've done here. This Pager bug is slated to be fixed in an upcoming Utils release.

If you actually haven't solved the indexing, field-extraction and search language parts of the problem, ie the parts that I glossed over completely, I think they deserve their own totally separate question devoid of any mention of fancy UI.

I hope this helps.

rakesh_498115 · ‎11-06-2012

thanks for the update .. 🙂

sideview · ‎11-01-2012

OK. I posted a big update. There are far too many moving parts and still too many unknowns for me to attempt a direct answer to your question simply because I'd almost certainly make some wrong assumption and I wouldn't be able to test it. So I've done something more practical and transposed the problem over into _internal data, and shown you how the Multiplexer module can do it there. Hope this helps.

rakesh_498115 · ‎10-31-2012

I have provided the sample log file xml and the output i am expecting ..can you pls provide me the solution for the usecase i am interested ..

sideview · ‎10-30-2012

Quite possibly you can use the Multiplexer module because that's exactly what Multiplexer does. Keep giving details though and maybe I can help.

rakesh_498115 · ‎10-30-2012

even if i use post process i need to manually define the no of table views..but i dont want like this..depending upon the base search results . i need to generate the table views...for eg if base search gives me 7 search results/events ..each result must be displayed in 7 diferent tables.

sideview · ‎10-22-2012

Well in the absence of details, I still recommend having a Pager module and then a Table module or a SimpleResultsTable module nested inside. That will render you a table. If you want to render several different tables and you want to use the same search results, the normal way is to use postProcess to carve up the data differently. If you want to use different searches then you just use different Search modules. For more reading about postprocess, there are some good docs and examples both in the UI Examples app and in the Sideview Utils app.

rakesh_498115 · ‎10-22-2012

Hi..What i really need or what i am trying to do is ?. i need a search query which displays the data in n set of table views .. for that reason i have written the javascripet snipet as above which doesnt worked for me...can you pls suggest a solution or an example for my usecase ,,

sideview · ‎10-16-2012

Can you go back and give more details? I haven't yet seen any details about what led you to go down this weird road in the first place. And why not just have a Button module, with a Pager module inside it, and a SimpleResultsTable or Table module inside that? Perhaps your example is really stripped down to remove the complexity, but as written the three modules I just said can easily do exactly what your example is trying to do.

rakesh_498115 · ‎10-16-2012

Can you pls ..give an example of the usecase you mentioned above.actually my base search should generate N of table views ..

sideview · ‎10-12-2012

Well you can give more details about this and we can give a better answer. However it sounds like a case where most people would use PostProcess searches to carve up the results from one "base search" and present it as N different tables and charts. This is a very common use case and I suspect that it's the way you should go.

rakesh_498115 · ‎10-11-2012

Actually my search results should be scattered as different set of tables i.e my single query output must be presented in different set of tables that is the reason i have used javascript code..pls help or let me know whether this can be accomplished in any other way ?

Jason · ‎10-04-2012

My questions from this would be "how do I get the length of results[]" ? Or, "is it possible to loop in the dashboard?"

dynamic display of data in advance XML ???

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms