Databases Reference
In-Depth Information
The column
values(call_count)
tells us that our lookup script only received eight
rows of input, one for each unique value of
url
. This is far better than 12,743 rows
that an equivalent command would have received.
For more examples of scripted lookups, see
$SPLUNK_HOME/etc/system/bin/
external_lookup.py
and the
MAXMIND
app available in Splunkbase.
Writing an event renderer
Event renderers give you the ability to make a specific template for a specific event
type. To read more about creating event types, see
Chapter 6
,
Extending Search
.
Event renderers use
mako
templates (
http://www.makotemplates.org/
).
An event renderer is comprised of the following:
• A template stored at
$SPLUNK_HOME/etc/apps/[yourapp]/appserver/
event_renderers/[template].html
• A configuration entry in
event_renderers.conf
• An optional event type definition in
eventtypes.conf
• Optional CSS classes in
application.css
Let's create a few small examples. All the files referenced are included in
$SPLUNK_
HOME/etc/apps/ImplementingSplunkExtendingExamples
. These examples are
not shared outside this app, so to see them in action, you will need to search from
inside this app. Do this by pointing your browser at
http://[yourserver]/app/
ImplementingSplunkExtendingExamples/flashtimeline
.
Using specific fields
If you know the names of the fields you want to display in your output, your
template can be fairly simple. Let's look at the following event type
template_
example
. The template is stored in
appserver/event_renderers/template_
example.html
:
<%page args="job, event, request, options">
<ul class="template_example">
<li>
<b>time:</b>
${i18n.format_datetime_microseconds(event.get('_time', event.
time))}
</li>
<li>
<b>ip:</b>
${event.get('ip', '')}
Search WWH ::
Custom Search