All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sideview Utils: How to set up a pulldown timerange and textfield form boxes for users to populate search queries?

the_wolverine
Champion
‎11-12-2014 10:32 AM

I'm trying to use a pulldown timerange to set multiple values based on the timerange, like this answer: http://answers.splunk.com/answers/91244/pulldown-module-statically-setting-two-values-per-pulldown-o...

But I'm having trouble also integrating the form boxes I want to populate the rest of my query. My query is something like this:

index=main $host1$ OR $host2$ OR $host3$ | timechart span=$span$ max(cpu) by host

I want the user to be able to enter the host values in the form then select a timerange which also determines the span using value setter. It works fine in simple XML other than I could not use pulldown magic to set the span based on a chosen timerange -- so switching to Sideview for more capabilities.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2014 11:41 AM

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected. 

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>

View solution in original post

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2014 11:41 AM

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected. 

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-12-2014 11:45 AM

Awesome. Yep that looks good. I have had an item in the roadmap for too long, to give the Pulldown module a native way of encoding more than one "value", so you don't have to pack it up with commas and then split it out with ValueSetters like this.

minor minor comment - autoRun="False" is meaningless and has no effect and you should remove it in case someone someday thinks it means something (which it doesn't). Cheers!

Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:47 AM

Thank you, I'm cleaning that up now.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-12-2014 11:10 AM

Can you post the XML here or put it in pastebin? I'm interested in the $hostN$ values - what happens when one of the three is empty? It looks like there would be a syntax error? Normally for $foo$ OR $bar$ OR $baz$ I would advise using a Sideview Checkboxes or CheckboxPulldown module, because those are designed to deal with the whole OR-expression work for you. But if you post the XML there may be idiosyncracies or simple fixes around the multiple-value thing with your timeranges and spans.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:15 AM

I've modified it to integrate a template so now this is working properly...

<module name="TextField" layoutPanel="panel_row2_col1" autoRun="False">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param>

ETC.

index=main host=host1 OR host=host2 | timechart span=span max(cpu) by host

Now I just need to integrate the pulldown so that user can select timerange and set the span value based on the timerange selected.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2014 11:39 AM

Got it working!

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...