I want to be able to use my search for a few things, i.e. a table then further search or html display based on certain values in the first row of results.
In advanced XML and Sideview I used to be able to get information from the first row of a search's results by using $results.fieldname$.
Can I do something similar in simple xml?
Here's an easy way!!
see for reference: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Search_event_elements_and_job_properti...
You need to set the token in the section and call the result there. Here's a sample:
<panel> <title>Maximum API calls in one hour over last 7 days</title> <single> <title>Max hits for api: $max_api$</title> <search> <query>...</query> ... <done> <set token="max_api">$result.api$</set> </done> </search>
Even in Splunk Simple XML $result.[fieldname]$ is available provided applicable only for the first row. Please check the Search Event Handlers:
You can also check out the Splunk 6.x Dashboard Examples App for Search Result Setter example which calls out various search tokens.
Please let me know if you need example for $result.[fieldname]$ token.
I have had the need to do this myself a few times, and I just figured it out. What you want to do is create a token that you can reference in HTML. To do this dynamically, we can use a form input. The important parts here are:
Set the * selectFirstChoice* parameter to true.
<input type="dropdown" token="last_update" searchWhenChanged="true" depends="$justHideMe$"> <label>last_update</label> <search> <query>index=my_data_updates | head 1 | convert timeformat="%H:%M:%S on %m/%d/%Y" ctime(_time) AS last_update | table last_update</query> </search> <fieldForLabel>last_update</fieldForLabel> <fieldForValue>last_update</fieldForValue> <selectFirstChoice>true</selectFirstChoice> </input>
You can now reference $last_update$ in your HTML panels.
Check out my example "last updated" dashboard at the bottom of this App:
To @jdonn's point, this functionality is now available in the newer versions of Splunk.
Here's some docs to elaborate:
In case anyone wants an example, here is one that I just did:
<search id="minVal"> <query>| makeresults | eval minute_val=`cts_sm_minute_builder`</query> <earliest>$t_picker.earliest$</earliest> <latest>$t_picker.latest$</latest> <finalized> <set token="minute_val">$result.minute_val$</set>> </finalized> </search>
where that macro is basically giving me back some calculated values based on the time picker entries
To my knowledge there aren't any tokens in Simple XML that are auto-populated by running searches.
You could create a SearchManager in JS and grab the results from that directly.
[script] tags are explicitly stripped out of [html] blocks in Simple XML, which leads me to believe that inline JS is explicitly not on the plan due to security issues. If a regular visitor could edit a dashboard and insert [script] tags in an [html] block, you could potentially have cookie-stealing code and other issues.
Anyone on the Simple XML team with a more authoritative answer?
I think it should be our choice (as developers of a dashboard) if we are prepared to accept any risks. It opens up SO many options of things we can do to improve our dashboards. We have been doing this a lot in advanced XML, but if the trend is towards simple XML, then this feature is really important to allow us to make our dashboards usable and maintainable.