topic Re: Splunk search interface for non-technical users? in Splunk Search

Splunk search interface for non-technical users?

yoyu777 — Wed, 15 Nov 2017 17:24:22 GMT

Hi,

This question may be a bit unusual. While I know SPL is already kind of "simple" enough to get a hang of for most technical users, but we are challenged to find a software/service that allows even the least technical users can comfortably create some filters and fire some searches, ideally it should also be able to integrated with Splunk.

"Pivot" does not fit the purpose as it is mainly a visualisation tool rather than search tool.

Has anyone come across things like this before?

Re: Splunk search interface for non-technical users?

worshamn — Wed, 15 Nov 2017 17:37:17 GMT

What about trying the tables option from the Datasets Add-on (https://splunkbase.splunk.com/app/3245/)? This lets users work with an Excel-like interface and there is an option on the side to see the SPL it creates. Once you install the app and go to the "Datasets" tab, click on "Create New Table Dataset" to be walked through creating a table to work with.

Re: Splunk search interface for non-technical users?

gcusello — Thu, 16 Nov 2017 10:51:17 GMT

Hi yoyu777,
we gave to users that don't know Splunk a simple interface for developers that need to see debugging logs during development.
We created in a lookup a search perimeter (host, source, and other fields) and we created some filters in the dashboard using the lookup fields so the user can filter logs.

In other words, users choose search parameters and using the perimeter lookup we create a search containing the main information: index, sourcetype, source, host.
In addition user has a free text input to add words to search.

As results, we display timestamp and a part of raw (first 200 chars) of a list of events; if the interesting event is larger that 200 chars, clicking on event, it's possible to display the full event in another panel of the dashboard.

Bye.
Giuseppe

Re: Splunk search interface for non-technical users?

yoyu777 — Thu, 16 Nov 2017 11:00:48 GMT

Thanks Giuseppe.

So just to validate my understanding, you created your own app, and did some customisation so non-technical users can create filters by clicking of mouse? Did you just the out-of-the-box interface, or did you use HTML and Javascript scripts, or SplunkJS?

Re: Splunk search interface for non-technical users?

gcusello — Thu, 16 Nov 2017 18:18:59 GMT

No we have a lookup where there are all the information about the search perimeter:

perimeter
name
environment (Production or Qualification)
hostname
IP
Log Type (Application or System)
source
List item

Users in a dashboard can choose all the above parameters, in this way we can identify:

index
sourcetype
source
host

and show to the user all the events that match filters.
The only additional choice is a full text search input.

We did all with standard Splunk interface, without additional components.

The main job is to design the perimeter, but we usually already have it because target are development logs, so we can easily delimiter our perimeter.

Bye.
Giuseppe