Hello,
Like previous post I would like interpret code in html.
Just a little change : html in token.
<dashboard>
<label>TEST</label>
<row>
<panel>
<table>
<search>
<query>index=* |stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<finalized >
<condition match=" 'job.resultCount' != 0">
<set token="tok_wimg">Number of results : <BR/>$result.sourcetype$</set>
</condition>
<condition>
<set token="tok_wimg">No result found</set>
</condition>
</finalized >
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg$</h1>
</html>
</panel>
</row>
</dashboard>
How can I see in html
Number of results :
2
@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/>
within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:
<dashboard>
<label>Dashboard Token with HTML</label>
<search id="baseSearch">
<query>index=_internal
| stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<done>
<condition match="$job.resultCount$ == 0">
<set token="tok_wimg_static">No results found</set>
<set token="tok_wimg_dynamic"></set>
</condition>
<condition>
<set token="tok_wimg_static">Number of results :</set>
<set token="tok_wimg_dynamic">$job.resultCount$</set>
</condition>
</done>
</search>
<row>
<panel>
<table>
<search base="baseSearch"></search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg_static$<br/>$tok_wimg_dynamic$</h1>
</html>
</panel>
</row>
</dashboard>
I have retained <br/>
withing <html>
section and broken down the text to be displayed into two sections (static and dynamic based on number of results).
PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized>
as used in your question else use <done>
as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized>
and <preview>
search event handlers have been changed with <done>
and <progress>
Event Handlers.
@mclane1, what you are asking can actually lead to HTML Injection vulnerability. So although there is an option to pass on <br/>
within Splunk token it will always be treated as a string through HTML Escaping. So following is an easy workaround that you can try:
<dashboard>
<label>Dashboard Token with HTML</label>
<search id="baseSearch">
<query>index=_internal
| stats count by sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<done>
<condition match="$job.resultCount$ == 0">
<set token="tok_wimg_static">No results found</set>
<set token="tok_wimg_dynamic"></set>
</condition>
<condition>
<set token="tok_wimg_static">Number of results :</set>
<set token="tok_wimg_dynamic">$job.resultCount$</set>
</condition>
</done>
</search>
<row>
<panel>
<table>
<search base="baseSearch"></search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<h1>$tok_wimg_static$<br/>$tok_wimg_dynamic$</h1>
</html>
</panel>
</row>
</dashboard>
I have retained <br/>
withing <html>
section and broken down the text to be displayed into two sections (static and dynamic based on number of results).
PS: If you are on Splunk Enterprise prior to 6.5 you would need to use <finalized>
as used in your question else use <done>
as used in this example. Since the Search Event Handlers have been changed. Post Splunk Enterprise 6.5 <finalized>
and <preview>
search event handlers have been changed with <done>
and <progress>
Event Handlers.
Finally, I use split(field, ",") command in query.
Yes split()
function or makemv command will also do. Following is run anywhere search:
| makeresults
| eval field="A,B,C,D"
| makemv field delim=","
I was afraid of this answer. In reality, I have in query replace(field, ",", "<BR/>") but like you say, can actually lead to HTML injection vulnerability.
I search again other possibility
My field contain "A,B,C,D
"
and I want
A
B
C
D