Splunk Search

How can I best run a search and retrieve results from custom code?

emma
Splunk Employee
Splunk Employee

I'm writing an app that has custom HTML and JavaScript that code that needs to access search results. What's the best way to utilize Splunk's search interface, get results, parse them and get access to the results from within my custom code? I'd like to then embed the results in a view within Splunk, utilizing Splunk's view XML and displaying my search results within the Splunk Web UI.

1 Solution

sideview
SplunkTrust
SplunkTrust

There's a lot of core javascript objects in the Splunk UI that provide functionality. Once you know how it works it's not that hard to use, but that's the trick. These objects are not documented beyond the comments in the code, and we havent invested any time in making examples for external development. In a nutshell Gerald is right- it could be a pretty frustrating experience to try and do anything real right now.

But if anyone out there wants to play around with things, you can read some of the source code. For fun you can run a search in the main search UI, and then use firebug's JS console to run things like:

header = Splunk.Globals.ModuleLoader.getModuleInstanceById("ResultsHeader_2_9_2");
search = header.getContext().get("search");

("ResultsHeader_2_9_2" is just the id of one of the modules in the flashtimeline view)

Once you have that search object you can get the working urls to access events, results, timeline, summaries. And if you're familiar with good old jquery you would just hit those URL's to get the actual data .

search.getUrl("results")
search.getUrl("timeline")

as for newing up a new Search object and dispatching it and binding event handlers to do something custom, in a perfect world this would be easy. In the real world the first two are super easy but the last one would be annoyingly difficult to do from outside the framework so I'll spare you.

View solution in original post

sideview
SplunkTrust
SplunkTrust

There's a lot of core javascript objects in the Splunk UI that provide functionality. Once you know how it works it's not that hard to use, but that's the trick. These objects are not documented beyond the comments in the code, and we havent invested any time in making examples for external development. In a nutshell Gerald is right- it could be a pretty frustrating experience to try and do anything real right now.

But if anyone out there wants to play around with things, you can read some of the source code. For fun you can run a search in the main search UI, and then use firebug's JS console to run things like:

header = Splunk.Globals.ModuleLoader.getModuleInstanceById("ResultsHeader_2_9_2");
search = header.getContext().get("search");

("ResultsHeader_2_9_2" is just the id of one of the modules in the flashtimeline view)

Once you have that search object you can get the working urls to access events, results, timeline, summaries. And if you're familiar with good old jquery you would just hit those URL's to get the actual data .

search.getUrl("results")
search.getUrl("timeline")

as for newing up a new Search object and dispatching it and binding event handlers to do something custom, in a perfect world this would be easy. In the real world the first two are super easy but the last one would be annoyingly difficult to do from outside the framework so I'll spare you.

jrodman
Splunk Employee
Splunk Employee

Hm, is this a leading question for our developers? My first guess is you would want to use the REST API to launch searches and acquire the results of those searches. This is a data access method, in a sense, and does not incorporate the ideas of display or formatting.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I would say that mixing your own UI with Splunk UI, either in client-side or server-side code, will be completely unsupported, and probably extremely difficult, and not likely to be something that will ever be easy with the current UI framework. I would say that it would be in fact easier to the REST API, or if not, to use an SDK for whatever web development platform you are using. If one doesn't exist, then I would agitate either Splunk or the community for one.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Oh, totally different context. You want to hook into the javascript event flow. I know nothing here.

0 Karma

emma
Splunk Employee
Splunk Employee

i'm actually looking for a way to send search results into my custom code within Splunk's UI. I can use the XML but I am way more comfortable writing my own HTML, JavaScript and CSS. So I'm looking for a way to send and receive search results from my custom code to other modules within Splunk Web.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...