topic Re: Make set of data easily searchable for users on a dashboard? in Dashboards & Visualizations

Make set of data easily searchable for users on a dashboard?

xxkenta — Mon, 18 Dec 2017 21:22:57 GMT

I would like to make either an app/add-on or a dashboard so that users who use Splunk only for a specific set of logs can search that data easier.

I would like them to be able to select said app or dashboard and then enter in search data. Currently, the particular data is coming in from the same index as a lot of other data, and the users have to remember to search for a particular field, "process=a_process", in order for the rest of their data (ip address or username) to show relevant search data.

Which would be better for this case between an app or a dashboard? How can I configure it so that they do not need to enter in
this field for them to search for related data? Eventually graphs and visualizations will be added to the page.

Thanks

Re: Make set of data easily searchable for users on a dashboard?

adonio — Tue, 19 Dec 2017 02:33:57 GMT

seems like a good use case for "tags"
read here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Abouttagsandaliases
hope it helps

Re: Make set of data easily searchable for users on a dashboard?

gcusello — Tue, 19 Dec 2017 07:48:58 GMT

Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.

If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.

After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...

Bye.
Giuseppe

Re: Make set of data easily searchable for users on a dashboard?

xxkenta — Tue, 29 Sep 2020 17:19:40 GMT

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?

Thank you

Re: Make set of data easily searchable for users on a dashboard?

xxkenta — Tue, 29 Sep 2020 17:19:42 GMT

Thank you

Re: Make set of data easily searchable for users on a dashboard?

gcusello — Wed, 20 Dec 2017 08:00:55 GMT

Hi xxkenta,

if your conditions are fixed you can use a fixed search, something like this

index=your_index process=a_process 10.10.10.10

and display _row.

If instead you want to choose different conditions, create one or more lookups for your conditions (e.g. processes.csv and perimeter.csv), and use one or more filters, e.g. a dropdown for process field and a dropdown for IPs, then in your search use something like this:

index=your_index process=$process$ IP=$IP$

where process and IP are two tokens from two dropdowns.

Anyway insert always a text box for free text searches, is very useful!

Bye.
Giuseppe