All Apps and Add-ons

unable to use $foo$ value containing xml, in html module

sbsbb
Builder

I have a xml field in a table, when the user click on a row, I want him to see the xml field in a HTML Module... but there is something in the XML that prevent this to work, even when using .rawValue

$foo$ = false event if there is something in the xml

$foo$ = part of the xml...

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

the HTML module doesn't escape its contents. This is actually a good thing because you can formulate little snippets of HTML using the search language and then render it into the page.

So all that's happening here is that it's rendering the XML into the page. the browser looks at your "tags" and doesn't see any valid HTML tags so it kind of throws them away, but it does render the text content of the XML nodes, which are things like "false" and that date string.

(UPDATED)

the answer is to escape the HTML markup, turning certain special characters like "<" into "&lt;". Also to make it display in a monospace font you would wrap it in a <pre> or <code> tag.

Here is an example where you would have a 'xml' field, showing how to use a simple postProcess search to replace the characters, and then using an HTML module to display the modified xml field.

<module name="PostProcess">
  <param name="search">| eval xml=replace(xml,"&","&amp;") | eval xml=replace(xml,"<","&lt;") | eval xml=replace(xml,">","&gt;")</param>
  <module name="HTML">
    <param name="html"><![CDATA[
      <h3>this is some HTML.</h3> 
        <pre>$results[0].xml$</pre>

    ]]></param>
  </module>
</module>

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

the HTML module doesn't escape its contents. This is actually a good thing because you can formulate little snippets of HTML using the search language and then render it into the page.

So all that's happening here is that it's rendering the XML into the page. the browser looks at your "tags" and doesn't see any valid HTML tags so it kind of throws them away, but it does render the text content of the XML nodes, which are things like "false" and that date string.

(UPDATED)

the answer is to escape the HTML markup, turning certain special characters like "<" into "&lt;". Also to make it display in a monospace font you would wrap it in a <pre> or <code> tag.

Here is an example where you would have a 'xml' field, showing how to use a simple postProcess search to replace the characters, and then using an HTML module to display the modified xml field.

<module name="PostProcess">
  <param name="search">| eval xml=replace(xml,"&","&amp;") | eval xml=replace(xml,"<","&lt;") | eval xml=replace(xml,">","&gt;")</param>
  <module name="HTML">
    <param name="html"><![CDATA[
      <h3>this is some HTML.</h3> 
        <pre>$results[0].xml$</pre>

    ]]></param>
  </module>
</module>
0 Karma

sideview
SplunkTrust
SplunkTrust

OK. If you want to use it in a postprocess, here we go.
First note that in your 1,2,3 example, you're creating a field up in the search results called "xml" in step 1, and then in step 3, you're using a client-side token called $xml$. However these two creatures have absolutely nothing to do with eachother, so the $xml$ will be emptystring. However, that is exactly what ResultsValueSetter does - it pulls down one or more field values from the first row of search results, and makes them available as $foo$ tokens... Check out the ResultsValueSetter docs and examples page in Sideview Utils.

0 Karma

sbsbb
Builder

If I can't use $foo$ as input, I need to refer each time to the whole xml field in the main result, and it is pretty difficult, as spath only know about the index of each element (I can't search by a value)
vendorProductSet.product.desc.locDesc{4}

0 Karma

sbsbb
Builder

Do the same trick is working, if I wan't to use the xml field in a downstream postprocess ?

like

  1. search | eval xml=replace(xml,"&","&") | eval xml=replace(xml,"<","<") | eval xml=replace(xml,">",">")

  2. table

  3. postprocess | count | fields - count | eval xml2=$xml$ | spath input=xml2 ...

My point is I have a big xml, and I want the user to first chose a level-1 element, then display corresponding level-2 elements ... etc....

0 Karma

sideview
SplunkTrust
SplunkTrust

Ack. Sorry I forgot how <pre> and <code> tags work. The tag alone won't do it. You have to escape the HTML. I will make this easier by adding a htmlEscapeKeys param to the HTML module in a future release. For now you can do it in the search language and I will update my answer.

0 Karma

sbsbb
Builder

Unfortunately it doesn't work,

I've tried <pre> and <code>

but I only get "False" or "VdvFehler [402]"
out of

<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>VdvFehler [402]

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...