All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sideview Utils: How to set up a pulldown timerange and textfield form boxes for users to populate search queries?

the_wolverine
Champion
‎11-12-2014 10:32 AM

I'm trying to use a pulldown timerange to set multiple values based on the timerange, like this answer: http://answers.splunk.com/answers/91244/pulldown-module-statically-setting-two-values-per-pulldown-o...

But I'm having trouble also integrating the form boxes I want to populate the rest of my query. My query is something like this:

index=main $host1$ OR $host2$ OR $host3$ | timechart span=$span$ max(cpu) by host

I want the user to be able to enter the host values in the form then select a timerange which also determines the span using value setter. It works fine in simple XML other than I could not use pulldown magic to set the span based on a chosen timerange -- so switching to Sideview for more capabilities.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2014 11:41 AM

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected. 

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>

View solution in original post

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2014 11:41 AM

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected. 

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-12-2014 11:45 AM

Awesome. Yep that looks good. I have had an item in the roadmap for too long, to give the Pulldown module a native way of encoding more than one "value", so you don't have to pack it up with commas and then split it out with ValueSetters like this.

minor minor comment - autoRun="False" is meaningless and has no effect and you should remove it in case someone someday thinks it means something (which it doesn't). Cheers!

Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:47 AM

Thank you, I'm cleaning that up now.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-12-2014 11:10 AM

Can you post the XML here or put it in pastebin? I'm interested in the $hostN$ values - what happens when one of the three is empty? It looks like there would be a syntax error? Normally for $foo$ OR $bar$ OR $baz$ I would advise using a Sideview Checkboxes or CheckboxPulldown module, because those are designed to deal with the whole OR-expression work for you. But if you post the XML there may be idiosyncracies or simple fixes around the multiple-value thing with your timeranges and spans.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:15 AM

I've modified it to integrate a template so now this is working properly...

<module name="TextField" layoutPanel="panel_row2_col1" autoRun="False">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param>

ETC.

index=main host=host1 OR host=host2 | timechart span=span max(cpu) by host

Now I just need to integrate the pulldown so that user can select timerange and set the span value based on the timerange selected.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:39 AM

Got it working!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...