Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding search box to dashboard.

Michael_Schyma1
Contributor
‎08-01-2012 07:45 AM

I want to figure out how to put in a search bar that lets users look for "Telephone Numbers" and another that lets me look for "usernames." I have been looking at the how to add forms to searches document, but i do not seem to be getting anywhere with my XML. Would anyone have any advice on how to solve this problem?


<?xml version='1.0' encoding='utf-8'?>




index="network" sourcetype="Starfish" source="D:\Starfish\SelfService\Logs\SelfProvisioning.log" Message="- In POST RemovePhone action: phone(s) deleted:" | rex"(?i) action: (?P<PhoneDeleted>[^:]+): "|top PhoneDeleted |fields + count
24-Hour – (SelfService) Starfish Phone Delete Count
-1d@d
now


index="network" sourcetype="Starfish" source="D:\Starfish\SelfService\Logs\SelfProvisioning.log" Message="- Phone password reset completed"| top PasswordReset |fields + count |rename count AS Count
24-Hour - Starfish Telephone Password Reset Count
-1d@d
now


index="network" sourcetype="Starfish" source="D:\Starfish\SelfService\Logs\SelfProvisioning.log" Message="- In UpdateVoicemailPassword action: extension:" |rex "DEBUG - (?<Messages>.+?):"| top Messages |fields + count |rename Messages AS Message count AS Count
24-Hour - Starfish Change Voicemail Password
-1d@d
now




index="network" sourcetype="Starfish" source="D:\Starfish\SelfService\Logs\SelfProvisioning.log" In Provision action: Station has been allocated with extension number *| top ProvisionDescription |fields + count |rename count AS Count
24-Hour - Starfish Station Allocated
-1d@d
now


index="network" sourcetype="Starfish" source="D:\Starfish\Terminator\Logs\Terminator.log" Message="- Voice mailbox * for * has been deleted." | rex"mailbox (?<VoiceMail>\S+) for (?<UserAccount>\S+)(?<LI> has been deleted)." | top limit=0 LI |table count | rename count AS Count
24-Hour - (Terminator) Starfish Voice Mail Deleted
-1d@d
now


index="network" sourcetype="Starfish" source="D:\Starfish\Terminator\Logs\Terminator.log" Message="- Telephone * for * has been deleted." | rex "Telephone (?<Telephone>\S+) for (?<LID>\S+)(?<LI> has been deleted)" | top limit=0 LI| table count | rename count AS Count
24-Hour - (Terminator) Starfish Telephone Deleted
-1d@d
now




index="network" sourcetype="Starfish" source="D:\Starfish\SelfService\Logs\SelfProvisioning.log" Message="- In UpdateVoicemailPassword action: extension:" |rex "extension: (?P<FIELDNAME>.+)"|rex "DEBUG - (?<Messages>.+?):"| table FIELDNAME Messages |rename FIELDNAME AS Extension Messages AS Message
24-Hour - Starfish Update Voice Mail Password
-1d@d
now


index="network" sourcetype="Starfish" source="D:\Starfish\SelfService\Logs\SelfProvisioning.log" Message="- Phone password reset completed*"|rex"successfully : (?P<Extension>\d+)"| top limit=0 PasswordReset Extension | table count Extension PasswordReset | rename count AS Count PasswordReset AS Action
24-Hour - Starfish Phone Password Reset Successfully
-1d@d
now



Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-01-2012 11:31 AM

You can't do it with the <dashboard> syntax. However there's another similar flavor of 'simplified XML' where the top tag is <form>. The rules are a bit different inside the <form> views, from what you're used to in <dashboard> however they are pretty similar.

And the bad news is that while you can edit <dashboard> views in the splunk UI, and drag and drop and use menus to edit visualization options, no such niceties exist for <form> and you'll have to edit XML by hand.

http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm

The main thing that <form> can do is that it allows you to put text boxes and pulldowns in there. However in many cases <form> itself becomes too limiting and people move on to the so-called Advanced XML.

Since the Simplified XML is really a sort-of macro-layer to the underlying 'advanced' system, you can convert simplified views to the corresponding advanced view.

http://splunk-base.splunk.com/answers/1/how-can-i-convert-simple-view-xml-to-advanced-xml

And I should also add that if and when you make the leap to advanced XML, you should also make the leap to using the Sideview Utils modules in the advanced XML, because it makes the advanced XML much easier to read, deal with, and adds a lot of powerful features.

http://sideviewapps.com/apps/sideview-utils/

another answers post with good info: http://splunk-base.splunk.com/answers/29615/whats-the-best-way-to-convert-a-simple-xml-form-to-a-sid...

UPDATE. I wrote up a whole post to expand on Lowell's brief description of the process (the last link above). http://sideviewapps.com/654/so-youd-like-to-convert-a-simplified-xml-dashboard-or-form-to-sideview-u...

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-01-2012 11:31 AM

You can't do it with the <dashboard> syntax. However there's another similar flavor of 'simplified XML' where the top tag is <form>. The rules are a bit different inside the <form> views, from what you're used to in <dashboard> however they are pretty similar.

And the bad news is that while you can edit <dashboard> views in the splunk UI, and drag and drop and use menus to edit visualization options, no such niceties exist for <form> and you'll have to edit XML by hand.

http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm

The main thing that <form> can do is that it allows you to put text boxes and pulldowns in there. However in many cases <form> itself becomes too limiting and people move on to the so-called Advanced XML.

Since the Simplified XML is really a sort-of macro-layer to the underlying 'advanced' system, you can convert simplified views to the corresponding advanced view.

http://splunk-base.splunk.com/answers/1/how-can-i-convert-simple-view-xml-to-advanced-xml

And I should also add that if and when you make the leap to advanced XML, you should also make the leap to using the Sideview Utils modules in the advanced XML, because it makes the advanced XML much easier to read, deal with, and adds a lot of powerful features.

http://sideviewapps.com/apps/sideview-utils/

another answers post with good info: http://splunk-base.splunk.com/answers/29615/whats-the-best-way-to-convert-a-simple-xml-form-to-a-sid...

UPDATE. I wrote up a whole post to expand on Lowell's brief description of the process (the last link above). http://sideviewapps.com/654/so-youd-like-to-convert-a-simplified-xml-dashboard-or-form-to-sideview-u...

Reply
Solved! Jump to solution

Ayn
Legend
‎08-01-2012 09:21 AM

Please format the XML properly to be viewed on this site. Code sections should be indented with 4 spaces.

Reply
Solved! Jump to solution

Michael_Schyma1
Contributor
‎08-01-2012 08:20 AM

Any Suggestiong would help

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...