Dashboards & Visualizations

Can you create a dashboard with an adjustable time frame for searches?

dpadams
Communicator

I've built a dashboard that includes five panels that each display values over the previous 24 hours, such as top URLs requested, average processing time, and URLs tabulated by machine. My boss said "Great! Can you make it work for a 5 day period?" I can do so by creating five new saved searches with a different time frame and a new five-day view.

Is there a better way? I've looked around a bit but haven't seen an obvious way to parameterize the time period. An ideal user interface seems like it would include a popup or datetime picker that enables the user to dynamically adjust what period they're interested in reviewing - just like Splunk's standard searches.

Is there a way to go this for a custom dashboard? I'd be grateful for any suggestions or links to examples or documentation.

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Yes you can. However, you can't do it via the GUI dashboard editor, which is how I think you've been doing it. You do have to edit the dashboard code XML directly. However, the changes are not too large.

You can start by building a dashboard as you have, but then have to make basically three changes, all of which you do by editing the dashboard simple XML:

  • Change the view type from <dashboard> to <form>
  • Add a <fieldset> with a time input element
  • Make sure the searches in your dashboard panels don't already include an overriding time range

See here: http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm and note that once you edit the dashboard XML into a form, you can no longer use the GUI editor, but must edit the XML for that view going forward.

View solution in original post

jkshapiro
Engager

In the current version of Splunk, this can be accomplished without having to edit any XML. Simplest steps are as follows:

  1. In your dashboard, from the "Edit" dropdown, choose "Edit Panels".
  2. From the "+ Add Input" dropdown, choose "Time". This adds a time picker to the dashboard.
  3. For each panel that you want to be affected by the time picker, click the magnifying glass dropdown and choose "Edit Search String".
  4. In the "Time Range Scope" section, choose the option that starts with "Shared Time Picker".
  5. Click "Save" for the panel. If there are more panels to attach to the time picker then go to step 3.
  6. Click "Done" for the dashboard.

More information at http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/FormEditor.

andrewpense825
Explorer

This worked for me! thanks.  You would assume splunk would hold your hand a bit more rather than making you find it but I'll take it.

0 Karma

SteveIves1
Engager

Thanks. This mostly worked, although the Search on change checkbox seemed to have no effect. I added a Submit button and that did the trick.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes you can. However, you can't do it via the GUI dashboard editor, which is how I think you've been doing it. You do have to edit the dashboard code XML directly. However, the changes are not too large.

You can start by building a dashboard as you have, but then have to make basically three changes, all of which you do by editing the dashboard simple XML:

  • Change the view type from <dashboard> to <form>
  • Add a <fieldset> with a time input element
  • Make sure the searches in your dashboard panels don't already include an overriding time range

See here: http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm and note that once you edit the dashboard XML into a form, you can no longer use the GUI editor, but must edit the XML for that view going forward.

dpadams
Communicator

Thanks! I tried this out and it's an easy way to get what I'm after in this case. Much appreciated.

0 Karma

lguinn2
Legend

Yes, this is better! Thanks!

0 Karma

lguinn2
Legend

Absolutely! But it will be a little more work, and it is a bit complicated to explain. I've tried to give the most straight-forward approach below, as a starting point.

First, you will need to convert your existing dashboard to advanced XML. (This is much quicker and easier than writing advanced XML from scratch!)

  • Open the dashboard
  • In the browser address bar, add ?showsource=1 to the URL
  • Scroll down until you see a text box of XML - that's the advanced XML for your dashboard!
  • Cut and paste the XML from the text box into a file (just temporarily)

The next step is a big one: you need to add a time picker to each panel of the dashboard. Here is a bit of XML from a dashboard to show you the TimeRangePicker module. For each panel, add the TimeRangePicker within the HiddenSearch module. Note that you can set the selected time to a default - Last 15 minutes is a good choice.

  <module name="HiddenSearch" layoutPanel="panel_row1_col1" >
   <param name="savedSearch">mySearch</param>
    <module name="TimeRangePicker">
      <param name="searchWhenChanged">True</param>
      <param name="selected">Last 15 minutes</param>
      <module name="SimpleResultsTable"/>
    </module>
  • Go to the Splunk Manager -> User Interface -> Views and click the green Add New button.
  • Fill in the form, pasting the XML from your file into the text box. Name the new view something different.

There are other ways to do this, but I suggest that you download this app from Splunkbase: Splunk UI examples app for 4.1+ and go through the examples - the examples are a great tutorial. You may also to want to look at the Splunk Developer Manual as well.

dpadams
Communicator

Iguinn, thanks very much for the answer - I've tried it out and am still experimenting. I've ended up going with gkanapathy's simple XML solution in this case, but am glad to be poking my toe into the advanced XML features as well.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

lguinn, I think this is more complex than the poster is asking for. What they need I believe can be done pretty easily in Simple XML. See my suggested answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...