This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Use the information in this topic to customize how your events look, including formatting and adding any icons or decorations to the text. Change the default event display by matching event types with custom HTML. Note that the custom HTML is built on mako templates. Read on for instructions.
If you're not familiar with event types, read more about them here in the Knowledge Manager Manual.
Here's how to customize your events:
1. Tag the relevant data with an event type.
2. Add an HTML template to your App's event_renderers directory in: $SPLUNK_HOME/etc/apps/<app_name>/appserver/event_renderers.
3. Add an event_renderers.conf to $SPLUNK_HOME/etc/apps/<app_name>/default/event_renderers.conf that links the HTML template to the eventtype.
Here's an example event_renderers.conf:
[test] eventtype = test template = _test.html template_app = test_app priority = 100
To write your own, set the following:
$SPLUNK_HOME/etc/apps/<app_name>/appserver/event_renderers).
The HTML template will be loaded every time Splunk loads the specified event type. Templates use Mako (http://www.makotemplates.org/), a template library written in Python. The default template for displaying search results is located in $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/results/EventsViewer_default_renderer.html.
Here is a simple example that takes events from a search and returns a simplified event display:
<%page args="host_app, client_app, event, field_list, job, segmentation" />
<% search = event.fields['_search'] %>
<% count = event.fields['_count'] %>
<% tags = event.fields.get('_tags','') %>
<% example = event.fields.get('_example','No example') %>
<span id="eventTypeForm"/>
${count} events: <b>${search}</b><br/>
Example: ${example}<br/>
<a href="#" onclick="Splunk.Popup.createEventtypeForm($('eventTypeForm')[0], 'Save Eventtype', '${search|h}', '${tags|h}');">Save</a>
<a target=_blank href='flashtimeline?q=search+${search|h}'">Test</a>
Here's a quick example that you can load into the Search App that ships with Splunk. The oldman renderer makes the raw text easier to read.
1. Drop oldman.css into /etc/apps/search/appserver/static. This file contains CSS rules that are specific to this application. In this case, it contains CSS rules that will be used in our custom event renderer. This is actually optional if you choose to use inline CSS styling in the event renderer template itself. Best to use a CSS file, however.
2. Drop oldman.html into /etc/apps/search/appserver/event_renderers. You may need to create this directory. I just stripped down the default event renderer to make this. The templating language is Mako (http://www.makotemplates.org/).
3. Drop event_renderers.conf into /etc/apps/search/local. This conf tells splunk which event renderer to use for which eventtype. You will need to create an eventtype called ‘oldman’ for this renderer to kick in.