All Apps and Add-ons

HTML sideview module with nested search modules

phoenixdigital
Builder

Now I have about 30 searches with single value results that I would like to include in one sideview HTML panel.

Is there a way to have nested searches and one HTML panel which can pull data from each nested search?

I know I could append one search after the other in one massive search. However this would make the whole thing a little unwieldy.

I would like it if this was possible.

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | head 1000 | stats sum(kb) as kb by series | sort - kb</param>

    <module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
        <param name="search">index=main something="this"</param>

        <module name="HTML">
            <param name="html">
    <h2>Some HTML with results like this $results[0].series$ and the second search results are $otherResults[0].dataValue$</h2>
            </param>
        </module>
    </module>
</module>

as you can see I would like to access the first search with $results[0].series$ and the second one with $otherResults[0].dataValue$ is there are way to override the Search modules variable name the results gets returned as from results to something else?

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

The first step of course, is to combine as many of the searches as you can so that your dashboard has to dispatch fewer searches and so Splunk has to do less work.

But yes there is a way to display the results from different searches in a single HTML module. The answer though is not in the HTML module itself, but in using the ResultsValueSetter module in conjunction with it.

Whereas the HTML module will allow you to render field values from the current search results with $results[0].someFieldName$, the ResultsValueSetter module allows you to pull down one or more field values from the current search results, and then make those field values available as simple $someFieldName$ tokens for all modules downstream.

Here's an example:

<module name="Search" autoRun="True">
  <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | head 1000 | stats sum(kb) as kb by series | rename series as sourcetype | sort - kb</param>

  <module name="ResultsValueSetter">
    <param name="fields">sourcetype,kb</param>

    <module name="Search">
      <param name="search">index=main something="this" | stats dc(session_id) as sessions by username | sort - sessions</param>

      <module name="ResultsValueSetter">
        <param name="fields">username,sessions</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            The sourcetype with the highest volume is <b>$sourcetype$</b> with a kb value of $kb$. <br>
            And the username with the most sessions is <b>$username$</b>, with $sessions$
          ]]></param>
        </module>

Remember that ResultsValueSetter will only ever get field values from the first row of the search results. For further docs and examples, consult Sideview Utils itself. Within anyu relatively recent 2.X version of Sideview Utils you'll find a page about the ResultsValueSetter at "Module Documentation > Advanced Modules > The ResultsValueSetter Module"

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

The first step of course, is to combine as many of the searches as you can so that your dashboard has to dispatch fewer searches and so Splunk has to do less work.

But yes there is a way to display the results from different searches in a single HTML module. The answer though is not in the HTML module itself, but in using the ResultsValueSetter module in conjunction with it.

Whereas the HTML module will allow you to render field values from the current search results with $results[0].someFieldName$, the ResultsValueSetter module allows you to pull down one or more field values from the current search results, and then make those field values available as simple $someFieldName$ tokens for all modules downstream.

Here's an example:

<module name="Search" autoRun="True">
  <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | head 1000 | stats sum(kb) as kb by series | rename series as sourcetype | sort - kb</param>

  <module name="ResultsValueSetter">
    <param name="fields">sourcetype,kb</param>

    <module name="Search">
      <param name="search">index=main something="this" | stats dc(session_id) as sessions by username | sort - sessions</param>

      <module name="ResultsValueSetter">
        <param name="fields">username,sessions</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            The sourcetype with the highest volume is <b>$sourcetype$</b> with a kb value of $kb$. <br>
            And the username with the most sessions is <b>$username$</b>, with $sessions$
          ]]></param>
        </module>

Remember that ResultsValueSetter will only ever get field values from the first row of the search results. For further docs and examples, consult Sideview Utils itself. Within anyu relatively recent 2.X version of Sideview Utils you'll find a page about the ResultsValueSetter at "Module Documentation > Advanced Modules > The ResultsValueSetter Module"

0 Karma

phoenixdigital
Builder

This is perfect and exactly what I was looking for.

Agreed I will be trying to do as much as I can in one search in order to limit fatigue on Splunk. In my actual searches I have one big search and a heap of different post processing sub searches. ResultsValueSetter will work a treat.

Thanks Nick

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...