Databases Reference
In-Depth Information
To test our event type renderer, we need the configuration to be loaded.
You can accomplish this by restarting Splunk or by pointing your browser
to
http://[yourserver]/debug/refresh
.
At this point, we can run a query and apply the event type manually:
index="implsplunk" sourcetype="template_example"
| eval eventtype="template_example"
This renders each event, as shown in the following screenshot:
To make this automatic, we can create an event type definition in
eventtypes.conf
as follows:
[template_example]
search = sourcetype=template_example
Now any query that finds events of
sourcetype=template_example
will be
rendered using our template.
Table of fields based on field value
Since the template has access to everything in the event, you can use the fields in
any way you like. The following example creates a horizontal table of fields, but
lets the user specify a specific set of fields to display in a special field.
Our template, stored in
appserver/event_renderers/tabular.html
, looks
as follows:
<%inherit file="//results/EventsViewer_default_renderer.html" />\
<%def name="event_raw(job, event, request, options, xslt)">\
<%
import sys
_fields = str(event.fields.get('tabular', 'host,source,sourcetype,line
count')).split(',')
Search WWH ::
Custom Search