Splunk Search

Display search result as a read-only text box or a small sized table

Communicator

I have a dashboard with a drop-down that will have a list of values populated to it. When the user selects a value from the drop-down, on change, a list of values (in one column) related to the selected value will be retrieved and displayed , after which the same selected value will be used for further proceedings.

Now I need to display these values in a small read-only text-box or a table (or something like that) of a very small size ( no, not that usual regular size table inside a panel). This should be a very small read-only list or table amidst the text data.

Something like- A user selects an author name from the list and I would want to show a quick info about the list of books written by that author, just an FYI for the user and then use the same drop-down value to do my further job.

Looking for some help in this regard.

0 Karma

Legend

@sh254087, please try the following run anywhere example based on Splunk's _internal index. Since you want to pick specific table row value based on the Dropdown value, you can use Splunk's default search event handler token i.e. $result.fieldname$, depending on which fields you have. In case search returns no result or specific field is not present, the following example should show NA.

Also I have used CSS style directly on the <div> using <html> panel. You can choose any other option as you may like!

alt text
Following is the Simple XML code for the dashboard:

<form>
  <label>Filter and Show Results based on Dropdown</label>
  <search>
    <query>index=_internal sourcetype=splunkd log_level!=INFO component="$tokComponent$"
| chart count by component log_level
    </query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <done>
      <condition match="$job.resultCount$!=0">
        <eval token="tokError">if(isnull($result.ERROR$),"NA",$result.ERROR$)</eval>
        <eval token="tokWarn">if(isnull($result.WARN$),"NA",$result.WARN$)</eval>
      </condition>
      <condition>
        <set token="tokError">NA</set>
        <set token="tokWarn">NA</set>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokComponent" searchWhenChanged="true">
      <label>Select Component</label>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level!=INFO
| dedup component
| sort component
| table component</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row depends="$tokComponent$">
    <panel>
      <html>
        <div style="color:blue;font-size:80%">Component:$tokComponent$ -> Error: $tokError$ | Warn: $tokWarn$</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| chart count by component log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Builder

Hello @sh254087,

did you try to use a css in order to change the size of the text displayed in the colum of the table displaying the 'list of books'? I would advise, in Splunk, once the 'title' selected in the dropdown, to display a dedicated row containing a panel (table). This table, once given the right id, can be modified using the id as reference, in order to change the size of the strings in the column refering to the 'list of books' of the author.

Would this be a suitable way to solve your problem?
If so, I can provide an example and references to splunk docs as an answer here

0 Karma

Communicator

Hello @poete, please share the information. Meanwhile I'll try what Niket has shared in the comment below.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!