Splunk Search

Can we create a button added in each row of a table ? I want to achieve this without the use of Sideview Utils

sandyIscream
Communicator

My customer has asked me to create a dashboard for the error in OS logs and as there are plenty he wants to make sure that particular error has been acknowledged or not. So he has asked me create a button in each row of a table which will show on click that it has been acknowledged.

woodcock
Esteemed Legend

This is going to require custom javascript or html and you are going to have to go beyond what is available to you in simpleXML. I would search SplunkBase and there are probably multiple options. The basic thing to do is:

1: Add this to each report | streamstats count AS _serial to add an invisible field named _serial to each event/row.
2: Create a DB in your Search Heads KV Store that contains SID and _serial and an acknowledged boolean.
3: Create a dashboard that pulls the report in using the saved_searches REST API to get the SID, load the events with loadjob, add in the boolean values for each row from the KV store, and present the custom view with the added column to flip the acknowledged boolean.

Please do elaborate on how this can be done with @sideview 's most excellent utils and also why you would like another alternative.

sandyIscream
Communicator

Here's the code to add a checkbox button on each row.

row_selection
row_selection
$row.field.sourcetype$

And if I convert that to Sideview's XML then it wouldn't allow me to export the CI Details which is available is Splunk by default

0 Karma

woodcock
Esteemed Legend

Maybe @sideview will chime in.

0 Karma

sideview
SplunkTrust
SplunkTrust

Thanks woodcock! Since the question is about doing this without Sideview Utils, I'll be as brief as I can. This sort of thing, wedging arbitrary UI into table cells, is done using the "table embedding" feature of the Sideview Table module. The only docs and examples are in the Sideview Utils app itself, but they are decent and there's an example of putting in a button. Just like woodcock says, there are other bits just as important, concerning how you manage (ie remember) the state of the previously acknowledged rows.
And I think your comment about "then it wouldn't allow me to export..." is referring to the fact that simpleXML views can be exported to HTML views. However Sideview XML views can not. This is indeed the case. And I'm sorry but I do not know, short of writing quite a lot of custom code, of any way to implement the same thing from scratch in a SplunkJS / "html view". Hopefully someone else who is a more of an expert in that area can give you a more definitive answer there.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...