Solved: How to give Line break in eval and display the sam...

ashutoshwalke · ‎06-29-2021

Hello,

I am trying to display some data in field "result" for me in a single value chart using below query, and color/severity rule is based on keywords instead of numbers. i.e. OK = GREEN and NOTOK = RED

Below code works for me but the only issue is I am unable to break the line in the chart.

I want it as OK/NOTOK on the top and then the EndTime or anything that I may concatenate further below the result field.

Example,

============================================

result as "OK/NOTOK"

EndTime

============================================

I have tried using regex/sed or actually using (shift + enter) in my splunk query and it does works but in search only not in the dashboard.

Code

============================================

============================================

Can someone please advise ?

I had seen few posts that this could be achieved using some CSS/JS scripts but I do not have much knowledge on it.

Any help appreciated.

@niketn @ITWhisperer @Ayn @woodcock

Regards

kamlesh_vaghela · ‎06-30-2021

@ashutoshwalke

Singlevalue combine both again with comma separate. Here I suggest you go with below XML and try it.

<dashboard>
  <label>Single View Double Value</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults | eval result="OK", result1="EndTime" | table result result1</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="underlabel">$result.result1$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="underLabel">$underlabel$</option>
      </single>
    </panel>
  </row>
</dashboard>

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-29-2021

@ashutoshwalke

Not sure \n work but you can split value to make it same. Can you please try this?

| makeresults | eval result="OK"."\n"."EndTime"| eval result = split(result,"\n")

KV

ashutoshwalke · ‎06-30-2021

Hello Kamlesh, Thank you for your response. The query you have provided does work when run in splunk search but not when used in dashboard to display this data in single value chart. Also, not sure why is it showing an comma now in the chart with you query. RESULT (I got with your query in single value chart) ======================================= OK,EndTime Please advise.

kamlesh_vaghela · ‎06-30-2021

@ashutoshwalke

Singlevalue combine both again with comma separate. Here I suggest you go with below XML and try it.

<dashboard>
  <label>Single View Double Value</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults | eval result="OK", result1="EndTime" | table result result1</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="underlabel">$result.result1$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="underLabel">$underlabel$</option>
      </single>
    </panel>
  </row>
</dashboard>

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

ashutoshwalke · ‎07-01-2021

@kamlesh_vaghela It worked like a charm, Thanks a lot for your help 🙂

ashutoshwalke · ‎06-30-2021

@kamlesh_vaghela Please advise ?

How to give Line break in eval and display the same in single value chart

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?