Since the template has access to everything in the event, you can use the fields in any way you like. The following example creates a horizontal table of fields but lets the user specify a specific set of fields to display in a special field.
Our template, stored in appserver/event_renderers/tabular.html, looks as follows:
<%inherit file="//results/EventsViewer_default_renderer.html" />
<%def name="event_raw(job, event, request, options, xslt)">
<%
import sys
_fields = str(event.fields.get('tabular', 'host,source,sourcetype,line
count')).split(',')
head = ''
row = ''
for f in _fields:
head += "<th>" + f + "</th>"
row += "<td>" + str(event.fields.get(f, '-')) + "</td>"
%>
<table class="tabular_eventtype">
<tr>
${head}
</tr>
<tr>
${row}
</tr>
</table>
</%def>
Note that we have extended the default event type renderer template, which means we will only change the rendering of field _raw.
The entry in event_renderers.conf is as follows:
[tabular] eventtype = tabular template = tabular.html
Finally, our entries in application.css are as follows:
th.tabular_eventtype {
background-color: #dddddd;
border: 1px solid white;
padding: 4px;
}
td.tabular_eventtype {
background-color: #eeeeee;
border: 1px solid white;
padding: 4px;
}
We are not going to bother giving this event type a definition, but we can use it by setting the value of eventtype in the query. Let's try it out by running the following query:
index="implsplunk" | eval eventtype="tabular"
We see the following output based on the default fields specified in the template:
Note that we still see the event number, the workflow actions menu, the local time as rendered by Splunk, and the selected fields underneath our template output.
We have really only overridden the rendering of _raw. If we specify the fields we want in our table in the tabular field, the template will honor what we specify in our table:
index="implsplunk" sourcetype="template_example" | eval tabular="level,logger,message,foo,network" | eval eventtype="tabular"
This gives us the output shown in the following screenshot:
As per the following template code, any field that does not have a value is rendered as -:
str(event.fields.get(f, '-'))
It would be much simpler to use the table command instead of writing an event renderer. This approach is only appropriate when you need a very specific rendering or still need access to workflow actions. For another approach, check out the Table and Multiplexer modules available in the Sideview Utils app.