Splunk Search

One Tile per Table Row

genesiusj
Builder

Hello,
I have a search that generates over 50's rows and 12 columns. I need to create a tile for each row.
I thought about single value and trellis.
However, these have limitations:

  1. Can't trellis tables
  2. 20 chart/graph limit before pagination
  3. Can't sort on a different field-value pair
  4. Only 2 field-value pairs per single value panel

As the number of rows is dynamic, the number of tiles needs to be able to change (can't hardcode 50 tiles with the device name).

Here column names in each row that are required for each tile.

Device Name
Status - Time Latest Event
Parameter 1 - Last 5 mins / Last 60 mins / Last 24 hours
Parameter 2 - Last 5 mins / Last 60 mins / Last 24 hours
Parameter 3 - Last 5 mins / Last 60 mins / Last 24 hours

Example

Server123
Up - Wed Jan 22, 2020 12:00:00
Hits:           200 / 2800 / 55000
Inquiries:  150 / 2400 / 53000
Errors:           6 /     10 /        43

If possible, would like to color code the different time intervals .

I've seen that Splunk ITSI breaks the 20 tile barrier of Trellis; however, in the screenshots I've seen, only 2 field-value pairs per tile.

We do not have ITSI, so I'm not able to check the code to determine if it could be modified to handle more field-value pairs.

Here are some of my thoughts on how I might be able to accomplish this.

  1. Set tokens for each row (column value).
  2. Use an **** panel to populate the 12 tokens from that row.
  3. Cycle through each row creating a new tile. Is there a for-next loop construct within SPL/XML? Is it possible to create a new panel during a search using **** and **** tags?

Your thoughts, ideas, comments, direction appreciated.

UPDATED

Here is a screen shot.
Printer Dashboard Example

I'm working with the transpose command to resolve some of these issues. However, I am facing new issues: I can't maintain the formatting (colorPalette) once transposed; what are the new field names in order to run additional commands against.
See this post from me for details.
First transpose. Then colorPalette.

Thanks and God bless,
Genesius

0 Karma

woodcock
Esteemed Legend

Look at the BRILLIANT Bubble Chart hack here:
https://answers.splunk.com/answers/785029/what-is-the-best-way-to-get-100ish-greeenyellowred.html
Be sure to UpVote his answer (he deserves it).
His answer (and my update to it below) shows you how to control the array dimensions in your search results.

0 Karma

niketn
Legend

@genesiusj would it be possible for you to post the mock screenshot of the desired output? Based on your use case or ITSI scenario you have mentioned.

You can refer to one of my older answers where I have used Simple XML JS extension to parse through the search result rows using SplunkJS Stack and then format results as html section. You can go ahead and create html output as per your needs.

https://answers.splunk.com/answers/662523/how-to-show-table-result-in-one-page-table-modific.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

genesiusj
Builder

@niketnilay
I don't appear to have enough karma to paste screenshots in my posts. ;-(
Is there any other way to get this to you, and the rest of the Answeres Community?
Thanks and God bless,
Genesius

0 Karma

niketn
Legend

@genesiusj you can always upload to image sharing sites and post the link using image button here on Splunk Answers (for example imgur). Please ensure that you mask/anonymize any sensitive information before posting.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

genesiusj
Builder

@niketnilay

BTW, when will I be permitted to paste screenshots?

Thanks and God bless,
Genesius

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You'll need 60 karma points to be able to add images.
Reference Karma points rewards: https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/HowtoearnKarma#Karma_rewards

0 Karma

genesiusj
Builder

@somesoni
Thank you for the information.
I can add an image link (link needs to be on the Internet - file-sharing site; which goes against internal Internet policies), but I can't upload an image from my PC to the post.
Am I doing something wrong?
Thanks and God bless,
Genesius

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...