Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a token from a base search in my dashboard to be consumed in an HTML panel?

mclane1
Path Finder
‎09-29-2017 07:52 AM

Hello,
Like previous post I would like interpret code in html.
Just a little change : html in token.

<dashboard>
   <label>TEST</label>
   <row>
     <panel>
       <table>
         <search>
           <query>index=* |stats count by sourcetype</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
           <finalized >
                     <condition match=" 'job.resultCount' != 0">
                             <set token="tok_wimg">Number of results : &lt;BR/&gt;$result.sourcetype$</set>
                         </condition>
                         <condition>
                             <set token="tok_wimg">No result found</set>
                         </condition>
           </finalized >           
         </search>
         <option name="wrap">true</option>
         <option name="rowNumbers">false</option>
         <option name="drilldown">cell</option>
         <option name="dataOverlayMode">none</option>
         <option name="count">10</option>
       </table>
     </panel>
   </row>
   <row>
     <panel>
       <html>
       <h1>$tok_wimg$</h1>
     </html>
     </panel>
   </row>
 </dashboard>

How can I see in html

Number of results :
2

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-29-2017 10:48 AM

@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/> within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:

<dashboard>
  <label>Dashboard Token with HTML</label>
    <search id="baseSearch">
      <query>index=_internal
| stats count by sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>
      <done>
        <condition match="$job.resultCount$ == 0">
          <set token="tok_wimg_static">No results found</set>
          <set token="tok_wimg_dynamic"></set>
        </condition>
        <condition>
          <set token="tok_wimg_static">Number of results :</set>
          <set token="tok_wimg_dynamic">$job.resultCount$</set>
        </condition>
      </done>
    </search>  
    <row>
      <panel>
        <table>
          <search base="baseSearch"></search>
          <option name="wrap">true</option>
          <option name="rowNumbers">false</option>
          <option name="drilldown">cell</option>
          <option name="dataOverlayMode">none</option>
          <option name="count">10</option>
        </table>
      </panel>
    </row>
    <row>
      <panel>
        <html>
        <h1>$tok_wimg_static$&lt;br/&gt;$tok_wimg_dynamic$</h1>
      </html>
      </panel>
    </row>
  </dashboard>

I have retained <br/> withing <html> section and broken down the text to be displayed into two sections (static and dynamic based on number of results).

PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized> as used in your question else use <done> as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized> and <preview> search event handlers have been changed with <done> and <progress> Event Handlers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-29-2017 10:48 AM

@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/> within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:

<dashboard>
  <label>Dashboard Token with HTML</label>
    <search id="baseSearch">
      <query>index=_internal
| stats count by sourcetype</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>
      <done>
        <condition match="$job.resultCount$ == 0">
          <set token="tok_wimg_static">No results found</set>
          <set token="tok_wimg_dynamic"></set>
        </condition>
        <condition>
          <set token="tok_wimg_static">Number of results :</set>
          <set token="tok_wimg_dynamic">$job.resultCount$</set>
        </condition>
      </done>
    </search>  
    <row>
      <panel>
        <table>
          <search base="baseSearch"></search>
          <option name="wrap">true</option>
          <option name="rowNumbers">false</option>
          <option name="drilldown">cell</option>
          <option name="dataOverlayMode">none</option>
          <option name="count">10</option>
        </table>
      </panel>
    </row>
    <row>
      <panel>
        <html>
        <h1>$tok_wimg_static$&lt;br/&gt;$tok_wimg_dynamic$</h1>
      </html>
      </panel>
    </row>
  </dashboard>

I have retained <br/> withing <html> section and broken down the text to be displayed into two sections (static and dynamic based on number of results).

PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized> as used in your question else use <done> as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized> and <preview> search event handlers have been changed with <done> and <progress> Event Handlers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

mclane1
Path Finder
‎10-04-2017 08:39 AM

Finally, I use split(field, ",") command in query.

Reply
Solved! Jump to solution

niketn
Legend
‎10-04-2017 09:15 AM

Yes split() function or makemv command will also do. Following is run anywhere search:

| makeresults
| eval field="A,B,C,D"
| makemv field delim=","
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mclane1
Path Finder
‎10-04-2017 08:22 AM

I was afraid of this answer. In reality, I have in query replace(field, ",", "<BR/>") but like you say, can actually lead to HTML injection vulnerability.
I search again other possibility

0 Karma
Reply
Solved! Jump to solution

mclane1
Path Finder
‎10-04-2017 08:23 AM

My field contain "A,B,C,D"
and I want 

A
B
C
D
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...