Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fetch results from a form search

Stefan_van_de_R
Explorer
‎03-02-2012 07:39 AM

Hi,

I made a simple form search like showed in the Splunk documentation (http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm).

Is it possible to fetch the results from this search and render it without using the element?
For example, is it possible to do something like IP Address $src_ip$ is binded with MAC Address $src_mac$

sourcetype="DHCP_Log" AND src_ip = $src_ip$ AND src_mac != '' | sort -_time | head 1 | fields src_ip,src_mac
*
false 1

Thanks!

Regards, Stefan

Tags (2)
0 Karma
Reply

Stefan_van_de_R
Explorer
‎03-15-2012 04:15 AM

Thanks for your reply. At then end I used Sideview Utils to extract the results.

<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
    <label>IP / MAC</label>
    <module name="AccountBar" layoutPanel="appHeader" />
    <module name="AppBar" layoutPanel="appHeader" />
    <module name="SideviewUtils" layoutPanel="appHeader" />

    <module name="HTML" layoutPanel="viewHeader">
            <param name="html"><![CDATA[
                    <h1>Lookup IP and MAC addresses</h1>
            ]]></param>
    </module>

    <module name="TextField" layoutPanel="panel_row1_col1" autoRun="False">
            <param name="name">selectedReport</param>
            <param name="label">Lookup IP/MAC</param>

            <module name="Search" layoutPanel="panel_row2_col1" group="Device information">
                    <param name="search">sourcetype=DHCP_Log AND (src_ip = $selectedReport$ AND src_mac != '') OR (src_ip != '' AND src_mac = $selectedReport$) | head 1</param>
                    <param name="earliest">-120min</param>

                    <module name="HTML">
                            <param name="html"><![CDATA[
                                    <div>IP Address: $results[0].src_ip$<br />
                                    MAC Address: $results[0].src_mac$<br />
                                    </div>
                            ]]></param>
                    </module>
            </module>
    </module>

0 Karma
Reply

Ayn
Legend
‎03-02-2012 08:05 AM

Not to my knowledge, but what you can do is eval a field to contain the text that you want. Like:

sourcetype="DHCP_Log" AND src_ip = $src_ip$ AND src_mac != '' | sort -_time | head 1 | eval msg="IP Address ".src_ip." is binded with MAC Address ".src_mac | fields msg
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...