This question may be a bit unusual. While I know SPL is already kind of "simple" enough to get a hang of for most technical users, but we are challenged to find a software/service that allows even the least technical users can comfortably create some filters and fire some searches, ideally it should also be able to integrated with Splunk.
"Pivot" does not fit the purpose as it is mainly a visualisation tool rather than search tool.
Has anyone come across things like this before?
What about trying the tables option from the Datasets Add-on (https://splunkbase.splunk.com/app/3245/)? This lets users work with an Excel-like interface and there is an option on the side to see the SPL it creates. Once you install the app and go to the "Datasets" tab, click on "Create New Table Dataset" to be walked through creating a table to work with.
we gave to users that don't know Splunk a simple interface for developers that need to see debugging logs during development.
We created in a lookup a search perimeter (host, source, and other fields) and we created some filters in the dashboard using the lookup fields so the user can filter logs.
In other words, users choose search parameters and using the perimeter lookup we create a search containing the main information: index, sourcetype, source, host.
In addition user has a free text input to add words to search.
As results, we display timestamp and a part of raw (first 200 chars) of a list of events; if the interesting event is larger that 200 chars, clicking on event, it's possible to display the full event in another panel of the dashboard.
No we have a lookup where there are all the information about the search perimeter:
Users in a dashboard can choose all the above parameters, in this way we can identify:
and show to the user all the events that match filters.
The only additional choice is a full text search input.
We did all with standard Splunk interface, without additional components.
The main job is to design the perimeter, but we usually already have it because target are development logs, so we can easily delimiter our perimeter.