My customer has asked me to create a dashboard for the error in OS logs and as there are plenty he wants to make sure that particular error has been acknowledged or not. So he has asked me create a button in each row of a table which will show on click that it has been acknowledged.
This is going to require custom javascript or html and you are going to have to go beyond what is available to you in simpleXML. I would search SplunkBase and there are probably multiple options. The basic thing to do is:
1: Add this to each report | streamstats count AS _serial
to add an invisible field named _serial
to each event/row.
2: Create a DB in your Search Heads KV Store that contains SID
and _serial
and an acknowledged
boolean.
3: Create a dashboard that pulls the report in using the saved_searches
REST API to get the SID
, load the events with loadjob
, add in the boolean
values for each row from the KV store, and present the custom view with the added column to flip the acknowledged
boolean.
Please do elaborate on how this can be done with @sideview 's most excellent utils and also why you would like another alternative.
Here's the code to add a checkbox button on each row.
And if I convert that to Sideview's XML then it wouldn't allow me to export the CI Details which is available is Splunk by default
Maybe @sideview will chime in.
Thanks woodcock! Since the question is about doing this without Sideview Utils, I'll be as brief as I can. This sort of thing, wedging arbitrary UI into table cells, is done using the "table embedding" feature of the Sideview Table module. The only docs and examples are in the Sideview Utils app itself, but they are decent and there's an example of putting in a button. Just like woodcock says, there are other bits just as important, concerning how you manage (ie remember) the state of the previously acknowledged rows.
And I think your comment about "then it wouldn't allow me to export..." is referring to the fact that simpleXML views can be exported to HTML views. However Sideview XML views can not. This is indeed the case. And I'm sorry but I do not know, short of writing quite a lot of custom code, of any way to implement the same thing from scratch in a SplunkJS / "html view". Hopefully someone else who is a more of an expert in that area can give you a more definitive answer there.