Hello Splunkers!
I have a dashboard (with js) with some real-time search. This search always returns only one result (After pressing the "submit" button to generate a unique key, this key is sent to a python script. The result of the python script and this key is added to an event in a log-file. This log-file is indexed by Splunk and the real-time search returns this event by this key).
I would like to use one field from this rt-search result in my next code on a dashboard. When rt-search returns a result, I want to get this field value. (Example: alert("My field is: " + field_value);
)
How can I do that?
Regards,
Roman
This solution is probably hacky, but because you're dealing with an RT search, there isn't a way that I know of to easily pull the current result value directly from a real-time search, and if there is I would love to be shown how. Also, trying to set the value using tokens appears to not work within the context of a RT search. I am making some broad assumptions about what you are trying to do exactly, so hopefully this comes close.
Note: This will only work in 6.2.
How It Works:
Every time the RT search gets a new result it will pass that value to a tableView that we can easily pull the value from. We'll then force render the table to get the new result. That result value could then be pushed into an alert or in an `` XML section (which is what I am doing in this example).
Simple XML:
<dashboard script="realtime_value.js">
<label>Real Time Value Pull</label>
<row>
<panel>
<html>
<div id="keyRegion"><!-- Key value will be put here. --></div>
</html>
</panel>
</row>
<row>
<panel>
<table id="realTimeTable">
<title>Table View</title>
<search id="realTimeSearch">
<query>...</query>
<earliest>rt-5m</earliest>
<latest>rtnow</latest>
</search>
<option>...</option>
</table>
</panel>
</row>
</dashboard>
realtime_value.js:
require([
'underscore',
'backbone',
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/tableview',
'splunkjs/mvc/searchmanager',
'splunkjs/mvc/simplexml/ready!'
], function(_, Backbone, $, mvc, TableView, SearchManager) {
var realTimeSearch = mvc.Components.getInstance('realTimeSearch');
//I decided to use a base cell renderer to easily render the cell of the table
var CellRenderer = TableView.BaseCellRenderer.extend({
canRender: function(cell) {
//Name of the field in the table to target this cell renderer on
return _(['Key']).contains(cell.field);
},
render: function($td, cell) {
//here it will output the current key value from the RT search
console.log('My field is: ', cell.value);
//in this example, I'm just pushing the current value into the
//<html> section in the simple XML
$(document).find('#keyRegion').text('Your current key is: ' + cell.value);
}
});
realTimeSearch.on("search:progress", function(properties) {
//every time there is a new result, then we will force the table to re-render
mvc.Components.get('realTimeTable').getVisualization(function(tableView) {
tableView.table.addCellRenderer(new CellRenderer());
tableView.table.render();
});
});
});
Now, let's say you don't want that table to be visible, you could easily just set a depends attribute on the table's panel and set it to a token that will never be set, that way the panel will never show up. So, you would end up only showing the panel's "Your current key is: ". Hopefully, this helps.
If someone has a more elegant way to do this, I would love to know.
This solution is probably hacky, but because you're dealing with an RT search, there isn't a way that I know of to easily pull the current result value directly from a real-time search, and if there is I would love to be shown how. Also, trying to set the value using tokens appears to not work within the context of a RT search. I am making some broad assumptions about what you are trying to do exactly, so hopefully this comes close.
Note: This will only work in 6.2.
How It Works:
Every time the RT search gets a new result it will pass that value to a tableView that we can easily pull the value from. We'll then force render the table to get the new result. That result value could then be pushed into an alert or in an `` XML section (which is what I am doing in this example).
Simple XML:
<dashboard script="realtime_value.js">
<label>Real Time Value Pull</label>
<row>
<panel>
<html>
<div id="keyRegion"><!-- Key value will be put here. --></div>
</html>
</panel>
</row>
<row>
<panel>
<table id="realTimeTable">
<title>Table View</title>
<search id="realTimeSearch">
<query>...</query>
<earliest>rt-5m</earliest>
<latest>rtnow</latest>
</search>
<option>...</option>
</table>
</panel>
</row>
</dashboard>
realtime_value.js:
require([
'underscore',
'backbone',
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/tableview',
'splunkjs/mvc/searchmanager',
'splunkjs/mvc/simplexml/ready!'
], function(_, Backbone, $, mvc, TableView, SearchManager) {
var realTimeSearch = mvc.Components.getInstance('realTimeSearch');
//I decided to use a base cell renderer to easily render the cell of the table
var CellRenderer = TableView.BaseCellRenderer.extend({
canRender: function(cell) {
//Name of the field in the table to target this cell renderer on
return _(['Key']).contains(cell.field);
},
render: function($td, cell) {
//here it will output the current key value from the RT search
console.log('My field is: ', cell.value);
//in this example, I'm just pushing the current value into the
//<html> section in the simple XML
$(document).find('#keyRegion').text('Your current key is: ' + cell.value);
}
});
realTimeSearch.on("search:progress", function(properties) {
//every time there is a new result, then we will force the table to re-render
mvc.Components.get('realTimeTable').getVisualization(function(tableView) {
tableView.table.addCellRenderer(new CellRenderer());
tableView.table.render();
});
});
});
Now, let's say you don't want that table to be visible, you could easily just set a depends attribute on the table's panel and set it to a token that will never be set, that way the panel will never show up. So, you would end up only showing the panel's "Your current key is: ". Hopefully, this helps.
If someone has a more elegant way to do this, I would love to know.
Thank you, splunkian!
Tokens should help
I need extract result values from my event, NOT input field...