I have the following Splunk query:
sourcetype=api "analyzed email count" mailserver-01 | stats sum(mail_value) AS "Total".
mailserver-01 is a field in Splunk that defines the mail server. I have 10 mailservers and wanted to make an dropdown list where users can select the mailserver and the dash will auto refresh.
Here is a dynamic way to do it. This will count up mail servers and add them to the drop down box. If you 2 server it will show those two, if you have 100, it shows 100 servers.
<input type="time" token="global_time" searchWhenChanged="true">
<label>Time frame</label>
<default>Last 24 hours</default>
</input>
<input type="dropdown" token="Mailserver" searchWhenChanged="true">
<label>Mailserver</label>
<search>
<query>sourcetype=api "analyzed email count"
| rex "xxx (?<server>\S+)" # Here you need to make a rex to extract name of your mail server
| top limit=0 server
<earliest>$global_time.earliest$</earliest>
<latest>$global_time.latest$</latest>
</search>
<choice value="*">Any</choice>
<fieldForLabel>server</fieldForLabel>
<fieldForValue>server</fieldForValue>
<default>*</default>
</input>
Then in you panel you add the following search:
sourcetype=api "analyzed email count" $Mailserver$ | stats sum(mail_value) AS "Total"
If you post some lines that show how mail server looks like, I can make the regex to extract it for you.
Edit Dashboard > Click Add Input > Choose Dropdown
Edit Dropdown by clicking on Edit input icon against field1.
1) Rename Label as Select Mail Server.
2) Check Search on Change option.
3) Select Token = selMailServer
4) Scroll to Static Options and add the following Name - Values :
Name= 01 -- Value=mailserver-01
02 -- mailserver-02
...
10 -- mailserver-10
4) Scroll back to Default field an choose 01 as the default field value.
PS: You can define lookup tables for more dynamic list and values and use Dynamic Options to populate Name/Value through Splunk Search String.
Following is the Simple XML Source Code for the same (Notice root node changes from dashboard to form the moment we add any form inputs.
<fieldset>
<input type="dropdown" token="selMailServer" searchWhenChanged="true">
<label>Select Mail Server</label>
<choice value="mailserver-01">01</choice>
<choice value="mailserver-02">02</choice>
<choice value="mailserver-03">03</choice>
<choice value="mailserver-04">04</choice>
<choice value="mailserver-05">05</choice>
<choice value="mailserver-06">06</choice>
<choice value="mailserver-07">07</choice>
<choice value="mailserver-08">08</choice>
<choice value="mailserver-09">09</choice>
<choice value="mailserver-10">10</choice>
<default>mailserver-01</default>
</input>
</fieldset>
5) Finally, in your search you can replace mailserver-01 with $selMailServer$
Thank you...I've done this...however, is there a better way to not have to statically do this for every mail server? Say Splunk starts indexing logs for mailserver-11...is there a way to dynamically add it?
How frequently the data comes on Splunk for a mail server? Do all mail server logs comes all the times?
Yes there are two ways. If you have a Splunk Search which can pull Server Names you can populate through Dynamic Option within dropdown.
Alternatively you can load a spreadsheet in Splunk as Lookup table with Mail Server names and then use inputlookup search to populate via Dynamic Options in Dropdown. Spreadsheet can be manually updated each time mail server is added and also vis Splunk search.
One other way would be Key Value (KV) Store as well. I have not worked with that though.
Let me know if it addresses your problem, or if you need more details.