All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sideview Utils: How to set up a pulldown timerange and textfield form boxes for users to populate search queries?

the_wolverine
Champion
‎11-12-2014 10:32 AM

I'm trying to use a pulldown timerange to set multiple values based on the timerange, like this answer: http://answers.splunk.com/answers/91244/pulldown-module-statically-setting-two-values-per-pulldown-o...

But I'm having trouble also integrating the form boxes I want to populate the rest of my query. My query is something like this:

index=main $host1$ OR $host2$ OR $host3$ | timechart span=$span$ max(cpu) by host

I want the user to be able to enter the host values in the form then select a timerange which also determines the span using value setter. It works fine in simple XML other than I could not use pulldown magic to set the span based on a chosen timerange -- so switching to Sideview for more capabilities.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2014 11:41 AM

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected. 

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>

View solution in original post

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2014 11:41 AM

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected. 

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-12-2014 11:45 AM

Awesome. Yep that looks good. I have had an item in the roadmap for too long, to give the Pulldown module a native way of encoding more than one "value", so you don't have to pack it up with commas and then split it out with ValueSetters like this.

minor minor comment - autoRun="False" is meaningless and has no effect and you should remove it in case someone someday thinks it means something (which it doesn't). Cheers!

Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:47 AM

Thank you, I'm cleaning that up now.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-12-2014 11:10 AM

Can you post the XML here or put it in pastebin? I'm interested in the $hostN$ values - what happens when one of the three is empty? It looks like there would be a syntax error? Normally for $foo$ OR $bar$ OR $baz$ I would advise using a Sideview Checkboxes or CheckboxPulldown module, because those are designed to deal with the whole OR-expression work for you. But if you post the XML there may be idiosyncracies or simple fixes around the multiple-value thing with your timeranges and spans.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:15 AM

I've modified it to integrate a template so now this is working properly...

<module name="TextField" layoutPanel="panel_row2_col1" autoRun="False">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param>

ETC.

index=main host=host1 OR host=host2 | timechart span=span max(cpu) by host

Now I just need to integrate the pulldown so that user can select timerange and set the span value based on the timerange selected.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:39 AM

Got it working!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...