I have some data which is coming from the Splunk DB Connect app, which I need to present onto a report. I want this report to have filtering functionality, thus necessitating the use of forms. I'm following the Splunk tutorial on how to implement a basic keyword filter on a report through a simple form, but I found that I need to use an index as a intermediary input data store.
I currently can not use any index due to some other issues which in all fairness will be solved soon, so this question is academic only: is it possible to use forms this way without storing the data in an index?
You should be able to do this. I just wrote a short simple XML dashboard where the
searchTemplate started with
| dbquery and it worked just fine, no importing into an index necessary. I was able to use an input parameter from the form in the SQL query itself, as well as outside of the
dbquery clause, and it all worked as expected.
@aweitzman It works but the searches and time filter doesn't work. Adding a $series$ field after the dbquery doesn't seem to do anything to my search results
The time filter can't work without some manipulation because contents from dbquery don't have a Splunk time associated with them out of the box. If you have a field with the epoch time in it, I believe adding
| rename timefield to _time will use that field as the Splunk time, which should then allow for time filtering.
I do not understand what you mean by "Adding a $series$ field...". Can you explain that further, please? For me, both of the following worked, where
$formValue$ is the contents of an input box:
| dbquery mydb "SELECT * FROM dbo.mytable where MyField like '%$formValue$%'"
| dbquery mydb "SELECT * FROM dbo.mytable" | search MyField="*$formValue$*"
Ah I get it, I was following the example on http://docs.splunk.com/Documentation/Splunk/latest/Viz/Buildandeditforms and thought that you would be following the same keyword - they use $series$ to search. How would I make it search for any column on the table, though, without having to modify 'MyField'?
I also have a _time field but the time range still isn't working. My code is from the splunk help page, by the way.
Another way to deal with the time is to use a Splunk command called
addinfo. This will add fields related to the time of the search being done,
info_max_time, so you can compare against a field you already have. For instance, if the field you get from the db containing the epoch time is
TimeStamp, then the following should work:
| dbquery mydb "SELECT * FROM dbo.mytable where MyField like '%$formValue$%'" | addinfo | convert auto(TimeStamp) | where (info_min_time (less-than) TimeStamp AND info_max_time (greater-than) TimeStamp)
(Replace less-than and greater-than with the actual symbols.)
I don't quite understand what use
addinfo would do? I've translated my timestamp field taken from
dbqueryinto splunk time by using the
eval _time=UPDATE_TIME command, but the time picker doesn't work. The current code I have in xml is
<input type="time" searchWhenChanged="true"> <default> <earliestTime>@d</earliestTime> <latestTime>now</latestTime> </default> </input>
What I mean is, leave out the
eval _time=UPDATE_TIME clause in your search and replace it with the
addinfo suggestion instead.
but how does this link to the time picker I have on my form?
By definition, the time picker identifies the time boundaries of your search. There's no other "link" than that. The time boundaries are metadata values with respect to the search, so they don't show up as usable values by default. The
addinfo command makes those metadata values available to you so you can work with them.