Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SingleValue - Click through to search

Drainy
Champion
‎11-02-2011 08:45 AM

I am trying to implement similar functionality to that seen in the Deployment monitor whereby there is a single value that has a traffic light indicator next to it. To the right of the counter is a button to click through and view the full results.
The Deployment monitor uses the following XML to achieve it;

  <module name="HiddenSavedSearch" layoutPanel="panel_row3_col1" group="Indexer Warnings" autoRun="True">
    <param name="savedSearch">DM idle indexers</param>
    <param name="groupLabel">Indexer Warnings</param>
    <module name="JobProgressIndicator"/>
    <module name="HiddenPostProcess">
      <param name="search">stats count | rangemap field=count low=0-0 severe=1-1000000 default=low</param>
      <module name="SingleValue">
        <param name="afterLabel">Idle Indexer(s)</param>
        <param name="classField">range</param>
      </module>
    </module>
    <module name="SubmitButton">
      <module name="ViewRedirector">
        <param name="uriParam.pageTitle">Idle Indexers</param>
        <param name="viewTarget">indexer_list</param>
      </module>
    </module>
  </module>

Here it has a savedsearch which is what is run on the following page when you click through. The stats count does not follow it through and remains localised to this page.

My code has modified it in that I do not use a savedsearch but an actual search, the search passes through perfectly.
However the stats function does not work and the singlevalue only ever returns N/A.

<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Alerts within the last 12 hours" autoRun="True">
      <param name="search">host=127.0.0.1 notification_level=Critical device_ip=192.168.0.10 earliest=-12h@h </param>
    <param name="groupLabel">Alerts within the last 12 hours </param>
   <module name="JobProgressIndicator"/>
      <module name="HiddenPostProcess">
            <param name="search">stats count | rangemap field=count ok=0-0 critical=1-1000000 default=ok</param>
         <module name="SingleValue">
              <param name="afterLabel">Critical Alerts</param>
              <param name="classField">range</param>
         </module>
</module>
   <module name="SubmitButton">
      <module name="ViewRedirector">
        <param name="viewTarget">view_alerts</param>
        <param name="uriParam.pageTitle">Alerts</param>
      </module>
   </module>
    <module name="ServerSideInclude">
      <param name="src">text/linebreak.html</param>
    </module>
</module>

Can anyone perhaps see any reason why this isn't working or something I might be getting wrong?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-02-2011 10:04 AM

The problem with the N/A is that SingleValue has a very longstanding bug in it around postProcess. Although it will listen to postProcess searches, if the underlying search has 0 rows, there's a bug where it simply returns N/A without running the postProcess search. I'm not really sure why the bug hasn't been fixed yet because it's been known for a long time.

One option is to just fold the postProcess search up into the main Search. In Deployment Monitor it hangs several SingleValue modules off of a single search, but if you only have the one this is unnecessary and that would work around the SingleValue bug.

To back up a second, if you're trying to reverse engineer deployment monitor, you should probably take a look at Sideview Utils. All that stuff with the SubmitButton and the ViewRedirector and the ServerSideInclude, and all the custom CSS applied at the app level onto SingleValue is just a series of workarounds that you can do with my HTML module quite easily.

Here's a quick view I put together implementing what you need, but without all the extra modules and the extra CSS hacks it would require. 

<module name="Search" layoutPanel="panel_row1_col1" group="Alerts within the last 12 hours" autoRun="True">
  <param name="search">host=127.0.0.1 notification_level=Critical device_ip=192.168.0.10 earliest=-12h@h </param>
  <module name="JobProgressIndicator"/>
  <module name="PostProcess">
    <param name="search">stats count | rangemap field=count low=0-0 severe=1-1000000 default=ok</param>
    <module name="HTML">
      <param name="html"><![CDATA[
        <!-- we reference SingleValue's class because we can then pick up
             SingleValue's nice low/ok/elevated/high/severe background 
             colors from the Splunk skin automatically. All we have to do 
             is have our class="low" or class="severe" div nested inside -->
        <div class="SingleValue">
          <div class="$results[0].range$">
            $results[0].count$ Critical Alerts
          </div>
        </div>
        <a href="view_alerts?pageTitle=Alerts"></param>
      ]]></param>
    </module>
  </module>
</module>

In general I'm steering you towards Sideview Utils not so much for this constellation of SingleValue/SubmitButton/ViewRedirector stuff, but just because this level of app development is much easier in general. Notably you wont have to deal with "intentions" anymore, you'll have a much easier time sending arguments on links, and you'll be able to prepopulate form elements on the target page to match the arguments you sent. Check out the app and note that it contains it's own documentation in the form of example views with embedded copy.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-02-2011 10:04 AM

The problem with the N/A is that SingleValue has a very longstanding bug in it around postProcess. Although it will listen to postProcess searches, if the underlying search has 0 rows, there's a bug where it simply returns N/A without running the postProcess search. I'm not really sure why the bug hasn't been fixed yet because it's been known for a long time.

One option is to just fold the postProcess search up into the main Search. In Deployment Monitor it hangs several SingleValue modules off of a single search, but if you only have the one this is unnecessary and that would work around the SingleValue bug.

To back up a second, if you're trying to reverse engineer deployment monitor, you should probably take a look at Sideview Utils. All that stuff with the SubmitButton and the ViewRedirector and the ServerSideInclude, and all the custom CSS applied at the app level onto SingleValue is just a series of workarounds that you can do with my HTML module quite easily.

Here's a quick view I put together implementing what you need, but without all the extra modules and the extra CSS hacks it would require. 

<module name="Search" layoutPanel="panel_row1_col1" group="Alerts within the last 12 hours" autoRun="True">
  <param name="search">host=127.0.0.1 notification_level=Critical device_ip=192.168.0.10 earliest=-12h@h </param>
  <module name="JobProgressIndicator"/>
  <module name="PostProcess">
    <param name="search">stats count | rangemap field=count low=0-0 severe=1-1000000 default=ok</param>
    <module name="HTML">
      <param name="html"><![CDATA[
        <!-- we reference SingleValue's class because we can then pick up
             SingleValue's nice low/ok/elevated/high/severe background 
             colors from the Splunk skin automatically. All we have to do 
             is have our class="low" or class="severe" div nested inside -->
        <div class="SingleValue">
          <div class="$results[0].range$">
            $results[0].count$ Critical Alerts
          </div>
        </div>
        <a href="view_alerts?pageTitle=Alerts"></param>
      ]]></param>
    </module>
  </module>
</module>

In general I'm steering you towards Sideview Utils not so much for this constellation of SingleValue/SubmitButton/ViewRedirector stuff, but just because this level of app development is much easier in general. Notably you wont have to deal with "intentions" anymore, you'll have a much easier time sending arguments on links, and you'll be able to prepopulate form elements on the target page to match the arguments you sent. Check out the app and note that it contains it's own documentation in the form of example views with embedded copy.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-03-2011 09:47 AM

Not without distributing that larger app under a GPL or LGPL license, which you probably don't want to do. In addition to the LGPL license available on Splunkbase, I am able to also grant broader licenses (ie to distribute and repackage Utils). There's a growing number of companies that are expressing interest in buying such a license so I'll have something put together here before the end of the year. If you're interested send me an email to get on my list. However what all the other apps are doing is requiring that Sideview Utils be downloaded separately by the end-user.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎11-03-2011 02:27 AM

Thanks for the detailed reply. I haven't looked in detail at the Sideview Utils as I am trying to develop an App for publishing here. Does the license allow for modules to be used in other Apps?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...