Splunk Search

Display search result as a read-only text box or a small sized table

sh254087
Communicator

I have a dashboard with a drop-down that will have a list of values populated to it. When the user selects a value from the drop-down, on change, a list of values (in one column) related to the selected value will be retrieved and displayed , after which the same selected value will be used for further proceedings.

Now I need to display these values in a small read-only text-box or a table (or something like that) of a very small size ( no, not that usual regular size table inside a panel). This should be a very small read-only list or table amidst the text data.

Something like- A user selects an author name from the list and I would want to show a quick info about the list of books written by that author, just an FYI for the user and then use the same drop-down value to do my further job.

Looking for some help in this regard.

0 Karma

niketn
Legend

@sh254087, please try the following run anywhere example based on Splunk's _internal index. Since you want to pick specific table row value based on the Dropdown value, you can use Splunk's default search event handler token i.e. $result.fieldname$, depending on which fields you have. In case search returns no result or specific field is not present, the following example should show NA.

Also I have used CSS style directly on the <div> using <html> panel. You can choose any other option as you may like!

alt text
Following is the Simple XML code for the dashboard:

<form>
  <label>Filter and Show Results based on Dropdown</label>
  <search>
    <query>index=_internal sourcetype=splunkd log_level!=INFO component="$tokComponent$"
| chart count by component log_level
    </query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <done>
      <condition match="$job.resultCount$!=0">
        <eval token="tokError">if(isnull($result.ERROR$),"NA",$result.ERROR$)</eval>
        <eval token="tokWarn">if(isnull($result.WARN$),"NA",$result.WARN$)</eval>
      </condition>
      <condition>
        <set token="tokError">NA</set>
        <set token="tokWarn">NA</set>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokComponent" searchWhenChanged="true">
      <label>Select Component</label>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level!=INFO
| dedup component
| sort component
| table component</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row depends="$tokComponent$">
    <panel>
      <html>
        <div style="color:blue;font-size:80%">Component:$tokComponent$ -> Error: $tokError$ | Warn: $tokWarn$</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| chart count by component log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

poete
Builder

Hello @sh254087,

did you try to use a css in order to change the size of the text displayed in the colum of the table displaying the 'list of books'? I would advise, in Splunk, once the 'title' selected in the dropdown, to display a dedicated row containing a panel (table). This table, once given the right id, can be modified using the id as reference, in order to change the size of the strings in the column refering to the 'list of books' of the author.

Would this be a suitable way to solve your problem?
If so, I can provide an example and references to splunk docs as an answer here

0 Karma

sh254087
Communicator

Hello @poete, please share the information. Meanwhile I'll try what Niket has shared in the comment below.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...