Splunk Search

How to pass one field from a real-time search result as variable on a dashboard?

ryastrebov
Communicator

Hello Splunkers!

I have a dashboard (with js) with some real-time search. This search always returns only one result (After pressing the "submit" button to generate a unique key, this key is sent to a python script. The result of the python script and this key is added to an event in a log-file. This log-file is indexed by Splunk and the real-time search returns this event by this key).
I would like to use one field from this rt-search result in my next code on a dashboard. When rt-search returns a result, I want to get this field value. (Example: alert("My field is: " + field_value);)

How can I do that?

Regards,
Roman

0 Karma
1 Solution

splunkian
Path Finder

This solution is probably hacky, but because you're dealing with an RT search, there isn't a way that I know of to easily pull the current result value directly from a real-time search, and if there is I would love to be shown how. Also, trying to set the value using tokens appears to not work within the context of a RT search. I am making some broad assumptions about what you are trying to do exactly, so hopefully this comes close.

Note: This will only work in 6.2.

How It Works:
Every time the RT search gets a new result it will pass that value to a tableView that we can easily pull the value from. We'll then force render the table to get the new result. That result value could then be pushed into an alert or in an `` XML section (which is what I am doing in this example).

Simple XML:

<dashboard script="realtime_value.js">
  <label>Real Time Value Pull</label>
  <row>
    <panel>
      <html>
        <div id="keyRegion"><!-- Key value will be put here. --></div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table id="realTimeTable">
        <title>Table View</title>
        <search id="realTimeSearch">
          <query>...</query>
          <earliest>rt-5m</earliest>
          <latest>rtnow</latest>
        </search>
        <option>...</option>
      </table>
    </panel>
  </row>
</dashboard>

realtime_value.js:

require([
    'underscore',
    'backbone',
    'jquery',
    'splunkjs/mvc',
    'splunkjs/mvc/tableview',
    'splunkjs/mvc/searchmanager',
    'splunkjs/mvc/simplexml/ready!'
], function(_, Backbone, $, mvc, TableView, SearchManager) {

    var realTimeSearch = mvc.Components.getInstance('realTimeSearch');

    //I decided to use a base cell renderer to easily render the cell of the table
    var CellRenderer = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            //Name of the field in the table to target this cell renderer on
            return _(['Key']).contains(cell.field);
        },
        render: function($td, cell) {
            //here it will output the current key value from the RT search
            console.log('My field is: ', cell.value);
            //in this example, I'm just pushing the current value into the 
            //<html> section in the simple XML
            $(document).find('#keyRegion').text('Your current key is: ' + cell.value);
        }
    });

    realTimeSearch.on("search:progress", function(properties) {
        //every time there is a new result, then we will force the table to re-render
        mvc.Components.get('realTimeTable').getVisualization(function(tableView) {
            tableView.table.addCellRenderer(new CellRenderer());
            tableView.table.render();
        });
    });
});

Now, let's say you don't want that table to be visible, you could easily just set a depends attribute on the table's panel and set it to a token that will never be set, that way the panel will never show up. So, you would end up only showing the panel's "Your current key is: ". Hopefully, this helps.

If someone has a more elegant way to do this, I would love to know.

View solution in original post

splunkian
Path Finder

This solution is probably hacky, but because you're dealing with an RT search, there isn't a way that I know of to easily pull the current result value directly from a real-time search, and if there is I would love to be shown how. Also, trying to set the value using tokens appears to not work within the context of a RT search. I am making some broad assumptions about what you are trying to do exactly, so hopefully this comes close.

Note: This will only work in 6.2.

How It Works:
Every time the RT search gets a new result it will pass that value to a tableView that we can easily pull the value from. We'll then force render the table to get the new result. That result value could then be pushed into an alert or in an `` XML section (which is what I am doing in this example).

Simple XML:

<dashboard script="realtime_value.js">
  <label>Real Time Value Pull</label>
  <row>
    <panel>
      <html>
        <div id="keyRegion"><!-- Key value will be put here. --></div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table id="realTimeTable">
        <title>Table View</title>
        <search id="realTimeSearch">
          <query>...</query>
          <earliest>rt-5m</earliest>
          <latest>rtnow</latest>
        </search>
        <option>...</option>
      </table>
    </panel>
  </row>
</dashboard>

realtime_value.js:

require([
    'underscore',
    'backbone',
    'jquery',
    'splunkjs/mvc',
    'splunkjs/mvc/tableview',
    'splunkjs/mvc/searchmanager',
    'splunkjs/mvc/simplexml/ready!'
], function(_, Backbone, $, mvc, TableView, SearchManager) {

    var realTimeSearch = mvc.Components.getInstance('realTimeSearch');

    //I decided to use a base cell renderer to easily render the cell of the table
    var CellRenderer = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            //Name of the field in the table to target this cell renderer on
            return _(['Key']).contains(cell.field);
        },
        render: function($td, cell) {
            //here it will output the current key value from the RT search
            console.log('My field is: ', cell.value);
            //in this example, I'm just pushing the current value into the 
            //<html> section in the simple XML
            $(document).find('#keyRegion').text('Your current key is: ' + cell.value);
        }
    });

    realTimeSearch.on("search:progress", function(properties) {
        //every time there is a new result, then we will force the table to re-render
        mvc.Components.get('realTimeTable').getVisualization(function(tableView) {
            tableView.table.addCellRenderer(new CellRenderer());
            tableView.table.render();
        });
    });
});

Now, let's say you don't want that table to be visible, you could easily just set a depends attribute on the table's panel and set it to a token that will never be set, that way the panel will never show up. So, you would end up only showing the panel's "Your current key is: ". Hopefully, this helps.

If someone has a more elegant way to do this, I would love to know.

ryastrebov
Communicator

Thank you, splunkian!

0 Karma

dolivasoh
Contributor

Tokens should help

0 Karma

ryastrebov
Communicator

I need extract result values from my event, NOT input field...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...