All Apps and Add-ons

Status Indicator App: How do I access search result in Simple XML and manually change visualization display text?

mawomommoh
Path Finder

Is there a way to access the results of a query in the Simple XML of a dashboard (Source)? In essence, is there a way to parse the results of a search to the Simple XML (maybe using a variable or keyword)? Also, after splitting by a particular field, is there a way to manually change the text that is displayed by the boxes in the visualization? I want to be able to set the text being displayed to the values of a particular field in the search result. Thanks

Tags (1)
0 Karma
1 Solution

niketn
Legend

@mawomommoh, Try the following.

Step 1) Use the split by Action option in Trellis as you have used in first screenshot.

Step 2) Add | eval Result=Action as the final pipe in your query to Update the value Result and display Action value instead

             source="xxx" host="xxx" index="xxx_xml" sourcetype="xml" 
             | stats distinct_count(Result) by Action, Result
             | eval color=case(Result=="Passed","green",Result=="Skipped","gold", Result=="Failed","red")
             | eval Result=Action

Step 3) Use CSS Override to hide Status Indicator Header Label Text.

      div.facet-label{
        visibility:hidden !important;
      }

Following is the run anywhere example on top of Splunk's _internal index, based on the details provided:

alt text

<dashboard>
  <label>Status Indicator with Trellis</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSStyle$">
        <style>
          div.facet-label{
            visibility:hidden !important;
          }
        </style>
      </html>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| stats distinct_count(component) as dcComponent by component,log_level
| eval color=case(log_level=="INFO","#65a637",log_level=="WARN","#f7bc38", log_level=="ERROR","#d93f3c")
| eval log_level=component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="height">480</option>
        <option name="drilldown">none</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@mawomommoh, Try the following.

Step 1) Use the split by Action option in Trellis as you have used in first screenshot.

Step 2) Add | eval Result=Action as the final pipe in your query to Update the value Result and display Action value instead

             source="xxx" host="xxx" index="xxx_xml" sourcetype="xml" 
             | stats distinct_count(Result) by Action, Result
             | eval color=case(Result=="Passed","green",Result=="Skipped","gold", Result=="Failed","red")
             | eval Result=Action

Step 3) Use CSS Override to hide Status Indicator Header Label Text.

      div.facet-label{
        visibility:hidden !important;
      }

Following is the run anywhere example on top of Splunk's _internal index, based on the details provided:

alt text

<dashboard>
  <label>Status Indicator with Trellis</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSStyle$">
        <style>
          div.facet-label{
            visibility:hidden !important;
          }
        </style>
      </html>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| stats distinct_count(component) as dcComponent by component,log_level
| eval color=case(log_level=="INFO","#65a637",log_level=="WARN","#f7bc38", log_level=="ERROR","#d93f3c")
| eval log_level=component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="height">480</option>
        <option name="drilldown">none</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mawomommoh
Path Finder

Wow! Thank you so much @niketnilay . It worked! I really appreciate the help 🙂

niketn
Legend

@mawomommoh, glad it worked... the initial code you posted seemed familiar... wink ... wink!!! 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@mawomommoh, based on the description seems like you might have to use Simple XML JS Extension. However, you might have to add more details for the community experts to help you. Like what is the underlying search and what is the expected change? If you can add a mock screenshot of what you have and what you want would also be of great help!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mawomommoh
Path Finder

Thanks @niketnilay. Here is a more detailed explanation of the problem and what I am trying to achieve: https://answers.splunk.com/comments/613505/view.html

0 Karma

493669
Super Champion

Not able to understand clearly ...provide your sample xml and what you want to achieve .

0 Karma

mawomommoh
Path Finder

Here is the simple xml I am trying to manipulate (from the 'Source' Edit dashboard option):

<dashboard stylesheet="xxx.css" script="xxx.js">
  <label>xxxReport</label>
  <row>
    <panel>
      <html depends="$alwaysHideCSSOverride$">
        <style>
          .splunk-status-indicator {
            border-radius: 35px !important;
          }
        </style>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>source="xxx" host="xxx" index="xxx_xml" sourcetype="xml" 
            | stats distinct_count(Result) by Action, Result
            | eval color=case(Result=="Passed","green",Result=="Skipped","gold", Result=="Failed","red")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">500</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">check</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">Action</option>
      </viz>
    </panel>
  </row>
</dashboard>

Here is a sample out of how the dashboard appears based on the xml above: Status Indicator Dashboard when split by Action: https://ibb.co/dRP1Ob

What I want to achieve:
Instead of the values of the Result field (e.g. 'Passed', 'Skipped') being displayed in the boxes in the dashboard, I want to display the values of the Action field (e.g. 'Place order', 'Call customer',etc) in those boxes dynamically based on the results of my query.

If I split by the Result field, the dashboard appears like this: Status Indicator Dashboard when split by Result: https://ibb.co/n1Gnww

The final goal is that the dashboard should appear something like this: Status Indicator Final Goal: https://ibb.co/hVJQGw

I hope this clarifies things better. Thanks in advance!

0 Karma

paramagurukarth
Builder

In what visualization you want to do this.. table/chart/html?

0 Karma

mawomommoh
Path Finder

I am using the Status Indicator Visualization App. I am trying to manipulate the Simple XML of the dashboard created by this app. See my response to @493669 (https://answers.splunk.com/comments/613505/view.html) for a more detailed explanation of the problem and what I am trying to achieve. Thanks in advance!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...