2. Add a couple of searches with Splunk views to display results

Django Bindings has been deprecated. For more, see the Deprecation Notice.

Now that we have an app with a page, let's add a couple of searches and display the results. We'll use a few simple searches on Splunk's internal index.

This first search is good for demonstrating a few search results in a tabular format:

search index=_internal sourcetype=splunkd | head 3

This second search is useful for showing data in a chart:

search index=_internal | head 1000 | stats count by sourcetype

Let's add these searches to our page template.

  1. In a text editor, open page1.html from the app's templates directory ($SPLUNK_HOME/etc/apps/mydjangoapp/django/mydjangoapp/templates/).
  2. Let's create the search managers. Find the managers block:
  3. {% block managers %}
        {# Search managers go here #}
    {% endblock managers %}

    Both of our searches are search jobs, so we'll create two SearchManagers. We'll create unique IDs for each one and provide the search queries, omitting the "search" command from the actual query string.

    Replace the manager block with the following:

    {% block managers %}
        {% searchmanager
            search="index=_internal sourcetype=splunkd | head 3"
        {% searchmanager
            search="index=_internal | head 1000 | stats count by sourcetype"
    {% endblock managers %}

    You'll see that in addition to the id and search properties, we've set the cache property. This property is useful during development because when set to True, if the same exact search has been run before, Splunk uses those results rather than running the search from scratch each time.

  4. Save your page. Go ahead and view the page in Splunk, but there isn't much to see yet until we add a couple of views. Let's do that now.
  5. In page.html, find the content block:
  6. {% block content %}
        <!-- You can use HTML and <div> tags for layout -->
        {# Splunk views go here #}
    {% endblock content%}

    To display the results of the first search in a result table, we'll add a Table view to the template with a couple of properties:

    • In the id property, specify a unique ID.
    • To link the table to the first search, set the Table view's managerid property to the search manager's id, "search_resulttable".

    We'll go through the same process for the second search. To display a pie chart, we'll add a Chart view:

    • In the id property, specify a unique ID.
    • In the type property, specify "pie" for a pie chart.
    • To link the chart to the second search, set the Chart view's managerid property to the search manager's id, "search_chart".

    Replace the content block with the following:

    {% block content %}
        {% table id="table_searchresults" managerid="search_resulttable" %}
        {% chart id="chart_sourcetype" managerid="search_chart" type="pie" %}
    {% endblock content%}
  7. Save your changes, then view the page in Splunk by going to http://<localhost:port>/dj/mydjangoapp/page1. You don't have to restart or even refresh Splunk to view your changes―just refresh the page in the web browser.
  8. Chart and Table views

So with very little code, we've added a couple of searches and views to the page. Now let's add some form controls to make it more interesting. Continue to 3. Add form controls to add interactivity to the page.