Refine your search:

Fetch results from a form search

0

Hi,

I made a simple form search like showed in the Splunk documentation (http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm).

Is it possible to fetch the results from this search and render it without using the <row> element? For example, is it possible to do something like <html>IP Address $src_ip$ is binded with MAC Address $src_mac$</html>

<form> <label>Lookup IP/MAC Addresses</label> <searchtemplate> sourcetype="DHCP_Log" AND src_ip = $src_ip$ AND src_mac != '' | sort -_time | head 1 | fields src_ip,src_mac </searchtemplate> <fieldset> <input type="text" token="src_ip"> <label>IP Address</label> <default></default> <seed></seed> <suffix>*</suffix> </input> </fieldset> <row> <option name="showPager">false</option> <option name="count">1</option>
</row> </form>

Thanks!

Regards, Stefan

asked 02 Mar '12, 07:39

Stefan%20van%20de%20Rijt's gravatar image

Stefan van d...
795
accept rate: 16%

edited 02 Mar '12, 07:44

2 Answers:
oldestnewestmost voted
0

Not to my knowledge, but what you can do is eval a field to contain the text that you want. Like:

sourcetype="DHCP_Log" AND src_ip = $src_ip$ AND src_mac != '' | sort -_time | head 1 | eval msg="IP Address ".src_ip." is binded with MAC Address ".src_mac | fields msg
link

answered 02 Mar '12, 08:05

Ayn's gravatar image

Ayn
24.8k3717
accept rate: 41%

0

Thanks for your reply. At then end I used Sideview Utils to extract the results.

<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False">
    <label>IP / MAC</label>
    <module name="AccountBar" layoutPanel="appHeader" />
    <module name="AppBar" layoutPanel="appHeader" />
    <module name="SideviewUtils" layoutPanel="appHeader" />

    <module name="HTML" layoutPanel="viewHeader">
            <param name="html"><![CDATA[
                    <h1>Lookup IP and MAC addresses</h1>
            ]]></param>
    </module>

    <module name="TextField" layoutPanel="panel_row1_col1" autoRun="False">
            <param name="name">selectedReport</param>
            <param name="label">Lookup IP/MAC</param>

            <module name="Search" layoutPanel="panel_row2_col1" group="Device information">
                    <param name="search">sourcetype=DHCP_Log AND (src_ip = $selectedReport$ AND src_mac != '') OR (src_ip != '' AND src_mac = $selectedReport$) | head 1</param>
                    <param name="earliest">-120min</param>

                    <module name="HTML">
                            <param name="html"><![CDATA[
                                    <div>IP Address: $results[0].src_ip$<br />
                                    MAC Address: $results[0].src_mac$<br />
                                    </div>
                            ]]></param>
                    </module>
            </module>
    </module>
</view>
link

answered 15 Mar '12, 04:15

Stefan%20van%20de%20Rijt's gravatar image

Stefan van d...
795
accept rate: 16%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×136
×112

Asked: 02 Mar '12, 07:39

Seen: 666 times

Last updated: 15 Mar '12, 04:21

Related questions

using "eval" in a search form - results table not updating

Can't sort table results from a form search

Advanced XML Form Search Problem

can't sort table results from a form search

Field display problem converting views from 4.0 to 4.1.5?

Using a form to populate Search page

Use results from search as input to a lookup

How to use populatingSavedSearch of a form field?

How to send "NOT <something>" in a form search field

Copyright © 2005-2012 Splunk Inc. All rights reserved.