Dashboards & Visualizations

Checkbox to select specific apps and to show their indexes if selected in dashboard

Mohsin123
Path Finder

Hi,

I have already made a dashboard where a panel shows index usage in GB per index. I have to edit it in this way. Say, one application websphere has 3 indexes. I want to see all three of them at the same time if I select websphere, a checkbox according to applications. Say if I select websphere application, it shows me 3 indexes and their use.

0 Karma
1 Solution

niketn
Legend

You can use SPLUNK REST command to pull App names and corresponding indexes (provided you have access to execute REST calls).

| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app, title

alt text

Following is an example which uses REST API call to populate App names in Dropdown and based on selection of App populated all App's Indexes as check boxes. Based on check boxes which are selected it gets the stats from selected index/es using tstats generating command.

PS: By default selected app is system and selected indexes are _audit and _internal. Search Panel is hidden based on depends attribute ontokIndex and time picker is added to stats panel as well.

<form>
  <label>REST app based indexes</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokApp" searchWhenChanged="true">
      <label>Select App</label>
      <fieldForLabel>eai:acl.app</fieldForLabel>
      <fieldForValue>eai:acl.app</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>system</default>
    </input>
    <input type="checkbox" token="tokIndex" searchWhenChanged="true">
      <label>Select Index/es</label>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| search eai:acl.app="$tokApp$"
| table title</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR  </delimiter>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <default>_audit,_internal</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label>Select Time</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table depends="$tokIndex$">
        <search>
          <query>| tstats prestats=t count where $tokIndex$ by sourcetype</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

PS: Refer to Splunk 6.x Dashboard Examples App from Splunkbase for more such examples on handling Splunk input values using Dynamic search options.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

You can use SPLUNK REST command to pull App names and corresponding indexes (provided you have access to execute REST calls).

| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app, title

alt text

Following is an example which uses REST API call to populate App names in Dropdown and based on selection of App populated all App's Indexes as check boxes. Based on check boxes which are selected it gets the stats from selected index/es using tstats generating command.

PS: By default selected app is system and selected indexes are _audit and _internal. Search Panel is hidden based on depends attribute ontokIndex and time picker is added to stats panel as well.

<form>
  <label>REST app based indexes</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokApp" searchWhenChanged="true">
      <label>Select App</label>
      <fieldForLabel>eai:acl.app</fieldForLabel>
      <fieldForValue>eai:acl.app</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>system</default>
    </input>
    <input type="checkbox" token="tokIndex" searchWhenChanged="true">
      <label>Select Index/es</label>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| search eai:acl.app="$tokApp$"
| table title</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR  </delimiter>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <default>_audit,_internal</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label>Select Time</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table depends="$tokIndex$">
        <search>
          <query>| tstats prestats=t count where $tokIndex$ by sourcetype</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

PS: Refer to Splunk 6.x Dashboard Examples App from Splunkbase for more such examples on handling Splunk input values using Dynamic search options.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mohsin123
Path Finder

I am adding this search to the search string.. Why I am not getting any result?
|eventcount summarize=false report_size=true index=* index=_*|search index=$tokIndex$|stats sum(size_bytes) As size_bytes by index|Eval size_bytes_GB=size_bytes/1024/1024/1024|table index size_bytes_GB|sort - size_bytes_GB

0 Karma

Mohsin123
Path Finder

Error here is error in search command unable to parse the search comparator = has an invalid term on the lhs

0 Karma

niketn
Legend

you might have to paste your code using Code button (101010) so that special characters do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mohsin123
Path Finder

Thankyou so much Niket. But I get an issue. Data populates for system app. But if I select any other app, it says an error :error in tsidxStats:where clause is not an exact query. Also select index checkbox is disabled

0 Karma

Mohsin123
Path Finder

Oh wow.. I just copy pasted ur code and it worked.. Thanks buddy

0 Karma

niketn
Legend

Anytime 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...