Splunk Search

Is there a way to create a token from search results in simple XML similar to $results[0].fieldname$ in advanced XML?

helenashton
Path Finder

I want to be able to use my search for a few things, i.e. a table then further search or html display based on certain values in the first row of results.

In advanced XML and Sideview I used to be able to get information from the first row of a search's results by using $results[0].fieldname$.

Can I do something similar in simple xml?

Thanks!

feickertmd
Communicator

Here's an easy way!!
see for reference: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Search_event_elements_and_job_properti...

You need to set the token in the section and call the result there. Here's a sample:

<panel>
      <title>Maximum API calls in one hour over last 7 days</title>
      <single>
        <title>Max hits for api: $max_api$</title>
        <search>
          <query>...</query>
          ...
          <done>
            <set token="max_api">$result.api$</set>
          </done>
        </search>
0 Karma

niketn
Legend

Even in Splunk Simple XML $result.[fieldname]$ is available provided applicable only for the first row. Please check the Search Event Handlers:
1) http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/EventHandlerReference
2) http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/tokens

You can also check out the Splunk 6.x Dashboard Examples App for Search Result Setter example which calls out various search tokens.

Please let me know if you need example for $result.[fieldname]$ token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jdonn_splunk
Splunk Employee
Splunk Employee

I have had the need to do this myself a few times, and I just figured it out. What you want to do is create a token that you can reference in HTML. To do this dynamically, we can use a form input. The important parts here are:

  1. Use a dropdown input.
  2. Create a search that gives you the result that you want to tokenize.
  3. Hide the input by assigning a dummy depends token in the input type.
  4. Set the * selectFirstChoice* parameter to true.

      <input type="dropdown" token="last_update" searchWhenChanged="true" depends="$justHideMe$">
        <label>last_update</label>
        <search>
          <query>index=my_data_updates | head 1 | convert timeformat="%H:%M:%S on %m/%d/%Y" ctime(_time) AS last_update | table last_update</query>
        </search>
        <fieldForLabel>last_update</fieldForLabel>
        <fieldForValue>last_update</fieldForValue>
        <selectFirstChoice>true</selectFirstChoice>
      </input>
    

You can now reference $last_update$ in your HTML panels.

Check out my example "last updated" dashboard at the bottom of this App:

https://splunkbase.splunk.com/app/2919/

sloshburch
Splunk Employee
Splunk Employee

To @jdonn's point, this functionality is now available in the newer versions of Splunk.

Here's some docs to elaborate:

bcronrath
Path Finder

In case anyone wants an example, here is one that I just did:

<search id="minVal">
           <query>| makeresults | eval minute_val=`cts_sm_minute_builder`</query>
           <earliest>$t_picker.earliest$</earliest>
    <latest>$t_picker.latest$</latest>
           <finalized>
            <set token="minute_val">$result.minute_val$</set>>
           </finalized>
         </search>

where that macro is basically giving me back some calculated values based on the time picker entries

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

To my knowledge there aren't any tokens in Simple XML that are auto-populated by running searches.

You could create a SearchManager in JS and grab the results from that directly.

feickertmd
Communicator

see my answer below

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Technically you could include inline JS in HTML dashboards converted from SimpleXML. Good to start development, bad for maintenance and larger-scale deployment later.

0 Karma

helenashton
Path Finder

Yup, which is why I don't want to do it that way.
It really would be helpful (for maintenance) to have inline JavaScript - anyone know if it's on the plan?

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

[script] tags are explicitly stripped out of [html] blocks in Simple XML, which leads me to believe that inline JS is explicitly not on the plan due to security issues. If a regular visitor could edit a dashboard and insert [script] tags in an [html] block, you could potentially have cookie-stealing code and other issues.

Anyone on the Simple XML team with a more authoritative answer?

0 Karma

helenashton
Path Finder

I think it should be our choice (as developers of a dashboard) if we are prepared to accept any risks. It opens up SO many options of things we can do to improve our dashboards. We have been doing this a lot in advanced XML, but if the trend is towards simple XML, then this feature is really important to allow us to make our dashboards usable and maintainable.

0 Karma

helenashton
Path Finder

Can't do that unfortunately as I don't have permission to upload js files - if I could include js in the dashboard I'd be good... but I can't seem to.

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

Yeah there's no way to inline JS in Simple XML. It has to be included via [form script="foo_in_appserver_static.js].

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...