Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Having Event Viewer Render the HTML in a Field

ndoshi
Splunk Employee
Splunk Employee
‎07-09-2010 09:58 PM

My events have set fields that look like this:

7/9/10 5:00 foo="hi" bar="there" desc="<html><img src="http://server:port/picture.jpg></html>"

Notice that the desc field has HTML within it. What would be the HTML template file such that the first 2 fields and date are rendered as normal in Splunk Web, but the desc field's rendering as interpreted HTML? In other words, instead of showing the raw HTML text, the field is interpreted by the browser and rendered by it.

I assume that this would follow the steps in the docs: http://www.splunk.com/base/Documentation/latest/Developer/EventRendering , but I will need at minimum a HTML template to interpret the data so that it can be rendered properly.

In short, I'm just trying to get Splunk Web in the event viewer to allow the browser to render the HTML for a field that I know will always have proper HTML within it.

Tags (3)
Reply

sideview
SplunkTrust
SplunkTrust
‎01-04-2013 12:39 AM

If you want all the normal bells and whistles of the EventsViewer module, like with the action menus and workflow-actions and field-clicking behavior and all that then you'll have to get into some complex stuff with a custom event renderer. Here are some docs http://docs.splunk.com/Documentation/Splunk/5.0.1/AdvancedDev/EventRendering

If you're using a relatively recent copy of Sideview Utils though (2.2 or greater), then you can use the Multiplexer module with an HTML module, instead of the EventsViewer. The advantage there is that you don't need any custom code at all - it looks like this: 

<module name="Multiplexer">
  <param name="fields">desc</param>

  <module name="HTML">
    <param name="html"><![CDATA[
      <b>this is some static HTML, followed by the HTML in the desc field on the next line</b><br>
      $desc$

    ]]></param>
  </module>
</module>

Multiplexer is definitely a peculiar module. It's not a module anyone needs or uses very often. In fact you can probably get by without ever using it for anything ever. But when you do need it for something, it can be crazy useful. What it will do in this simple example, is create a copy of that HTML module for every row in the current search results, and in each of those cloned HTML modules, the $desc$ key will have the value of the $desc$ field in that row of the search results. You can also multiplex any number of modules so you can next complex configs with PostProcess and JSCharts and really powerful config in there if you ever need it.

There's a decent amount of docs dedicated to Multiplexer in Sideview Utils itself under "Module Documentation > Advanced Modules > The Multiplexer Module"

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...