All Apps and Add-ons

Can we display search results in HTML tags using Splunk version 6.x?

rakesh_498115
Motivator

Hi All,

In Splunk older versions, there is a concept of distributing the Splunk search results in HTML modules, or HTML tags using the results token. i.e. results[0].fieldname etc.

In Splunk 6.x version do we have any examples of getting the same functionality?

My older sample code in Splunk 5.x version:

<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" autoRun="True">
          <param name="search">index=_internal | stats count </param>
          <module name="HTML" layoutPanel="panel_row5_col1_grp1">
            <param name="html">
              <div> Search Results : $results.count$ </div>
            </param>
          </module>
        </module>

Can we have something similar for Splunk 6.x version ??

thanks,
Rakesh,.

0 Karma

niketn
Legend

Following are some of common search tokens:

Job Metadata
$job.earliestTime$ - Initial time a search job starts
$job.latestTime$ - Latest time recorded for the search job
$job.resultCount$ - Number of results returned by the search job
$job.runDuration$ - Time, in seconds, that the search took to complete
$job.messages$ - List of error and debug messages generated by the search job

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Refer to Search Result Setter example on the Splunk 6.x Dashboard Example App.

    <search>
      <query>index=_internal |  top sourcetype</query>
      <earliest>-60m</earliest>
      <latest>now</latest>
      <!-- Use the following search events to access job properties, and set tokens that can be accessible throughout the page -->
      <!-- Progress event has access to job properties only (not first result row) -->
      <progress>
        <set token="sourcetype_count">$job.resultCount$</set>
      </progress>
      <cancelled>
        <unset token="sourcetype_count"></unset>
      </cancelled>
    </search>

Also for using HTML Panels in Splunk Dashboard refer to Null Search Swapper example. Following is a snippet from the same

  <html depends="$show_html$">
     <p style="color:blue;margin-left:30px;font-size:14px">Search returned no results, so we've hidden the chart!</p>
  </html>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rakesh_498115
Motivator

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma

niketn
Legend

I don't think there is way through Simple XML. You can do it either through SDK or JavaScript Extensions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rakesh_498115
Motivator

Hi Niketnilay,

thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??

Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.

Is there any way to refer to the second row and so on...

many thanks,
Rakesh.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...