Hello All,
I am working on a new dashboard panel that has five grouped pie charts within the single panel. It is my hope to have a dynamic pull-down that is populated with a set of project names returned by a search string. When one of the project names is selected, it would be used in five separate saved searches that provide the data for the pie charts.
I have spent the last couple of hours searching through Splunk Answers and Google and I have a working dashboard panel with the five pie charts in it. However, I still cannot seem to figure out the dynamic pull-down and updating of the search strings with the select value. Instead of me continuing to bang my head on the desk, I was hoping that somebody on Splunk Answers could provide me a hand in completing my work.
Instead of wasting everybody’s time with telling you what I have attempted so far and what has not worked, I thought it would be easier to show you what I have completed thus far and someone that is better with creating dashboards can fill in the blanks for me.
Dashboard Code:
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>TEST</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="Message" layoutPanel="navigationHeader">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
<param name="level">warn</param>
</module>
<module name="HiddenSavedSearch" layoutPanel="panel_row2_col1_grp1" group="Scalr Quota by OU - Havana" autoRun="True">
<param name="savedSearch">Scalr Quota by OU - Cores - Havana</param>
<param name="groupLabel">Scalr Quota by OU - Cores - Havana</param>
<module name="GenericHeader">
<param name="label">
Cores
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<param name="savedSearch">Scalr Quota by OU - Cores - Havana</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSavedSearch" layoutPanel="panel_row2_col1_grp2" group="Scalr Quota by OU - Gigabytes - Havana" autoRun="True">
<param name="savedSearch">Scalr Quota by OU - Gigabytes - Havana</param>
<param name="groupLabel">Scalr Quota by OU - Gigabytes - Havana</param>
<module name="GenericHeader">
<param name="label">
Gigabytes
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<param name="savedSearch">Scalr Quota by OU - Gigabytes - Havana</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSavedSearch" layoutPanel="panel_row2_col1_grp3" group="Scalr Quota by OU - Instances - Havana" autoRun="True">
<param name="savedSearch">Scalr Quota by OU - Instances - Havana</param>
<param name="groupLabel">Scalr Quota by OU - Instances - Havana</param>
<module name="GenericHeader">
<param name="label">
Instances
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<param name="savedSearch">Scalr Quota by OU - Instances - Havana</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSavedSearch" layoutPanel="panel_row2_col1_grp4" group="Scalr Quota by OU - Ram - Havana" autoRun="True">
<param name="savedSearch">Scalr Quota by OU - Ram - Havana</param>
<param name="groupLabel">Scalr Quota by OU - Ram - Havana</param>
<module name="GenericHeader">
<param name="label">
Ram
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<param name="savedSearch">Scalr Quota by OU - Ram - Havana</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSavedSearch" layoutPanel="panel_row2_col1_grp5" group="Scalr Quota by OU - Volumes - Havana" autoRun="True">
<param name="savedSearch">Scalr Quota by OU - Volumes - Havana</param>
<param name="groupLabel">Scalr Quota by OU - Volumes - Havana</param>
<module name="GenericHeader">
<param name="label">
Volumes
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<param name="savedSearch">Scalr Quota by OU - Volumes - Havana</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
Saved Searches:
Project names - index=app sourcetype=ecos_reports source="/var/log/ecos/quota_ost_havana.log" project_name=* earliest=-1h@h latest=@h | stats count by project_name
Scalr Quota by OU - Cores - Havana - index=app sourcetype=ecos_reports source="/var/log/ecos/quota_ost_havana.log" project_name=GIS resource=cores earliest=-1h@h latest=@h | stats sum(usage) as Usage values(quota) as Quota | transpose
Scalr Quota by OU - Gigabytes - Havana - index=app sourcetype=ecos_reports source="/var/log/ecos/quota_ost_havana.log" project_name=GIS resource=gigabytes earliest=-1h@h latest=@h | stats sum(usage) as Usage values(quota) as Quota | transpose
Scalr Quota by OU - Instances - Havana - index=app sourcetype=ecos_reports source="/var/log/ecos/quota_ost_havana.log" project_name=GIS resource=instances earliest=-1h@h latest=@h | stats sum(usage) as Usage values(quota) as Quota | transpose
Scalr Quota by OU - Ram - Havana - index=app sourcetype=ecos_reports source="/var/log/ecos/quota_ost_havana.log" project_name=GIS resource=ram earliest=-1h@h latest=@h | stats sum(usage) as Usage values(quota) as Quota | transpose
Scalr Quota by OU - Volumes - Havana - index=app sourcetype=ecos_reports source="/var/log/ecos/quota_ost_havana.log" project_name=GIS resource=volumes earliest=-1h@h latest=@h | stats sum(usage) as Usage values(quota) as Quota | transpose
Thanks in advanced for the help!
Erik
Try something like this (runanywhere example with dropdown for sourcetype and two panels)
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleForm" onunloadCancelJobs="true" template="dashboard.html">
<label>SimpleXmlDropDown</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchSelectLister" layoutPanel="viewHeader">
<param name="settingToCreate">sourcetype_setting</param>
<param name="label">Select Name</param>
<param name="search">index=_internal earliest=-1h@h | stats count by sourcetype
</param>
<param name="staticFieldsToDisplay"/>
<param name="searchFieldsToDisplay">
<list>
<param name="value">sourcetype</param>
<param name="label">sourcetype</param>
</list>
</param>
<param name="searchWhenChanged">False</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="arg">
<param name="sourcetype">
<param name="value">$target$</param>
<param name="fillOnEmpty">True</param>
</param>
</param>
<param name="name">stringreplace</param>
</param>
<param name="settingToConvert">sourcetype_setting</param>
<module name="SubmitButton" layoutPanel="viewHeader">
<param name="allowSoftSubmit">True</param>
<param name="visible">True</param>
<param name="label">Search</param>
<param name="updatePermalink">True</param>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Count over time" autoRun="False">
<param name="groupLabel">Count over time</param>
<param name="search">
index=_internal sourcetype=$sourcetype$ earliest=-1h@h| timechart count
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">area</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Top sources in sourcetype" autoRun="False">
<param name="groupLabel">Top sources in sourcetype</param>
<param name="search">
index=_internal sourcetype=$sourcetype$ earliest=-1h@h| top source
</param>
<module name="ViewstateAdapter">
<param name="suppressionList"/>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">results</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="allowTransformedFieldSelect">True</param>
<param name="entityName">results</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
Yep, we are working on the project now to complete the upgrade process, which also involves new hardware. We decided to skip over Splunk 5.0 and 6.0 and that is why we are still running Splunk 4.3 and planning to go all the way up to Splunk 6.1.
Try something like this (runanywhere example with dropdown for sourcetype and two panels)
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleForm" onunloadCancelJobs="true" template="dashboard.html">
<label>SimpleXmlDropDown</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchSelectLister" layoutPanel="viewHeader">
<param name="settingToCreate">sourcetype_setting</param>
<param name="label">Select Name</param>
<param name="search">index=_internal earliest=-1h@h | stats count by sourcetype
</param>
<param name="staticFieldsToDisplay"/>
<param name="searchFieldsToDisplay">
<list>
<param name="value">sourcetype</param>
<param name="label">sourcetype</param>
</list>
</param>
<param name="searchWhenChanged">False</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="arg">
<param name="sourcetype">
<param name="value">$target$</param>
<param name="fillOnEmpty">True</param>
</param>
</param>
<param name="name">stringreplace</param>
</param>
<param name="settingToConvert">sourcetype_setting</param>
<module name="SubmitButton" layoutPanel="viewHeader">
<param name="allowSoftSubmit">True</param>
<param name="visible">True</param>
<param name="label">Search</param>
<param name="updatePermalink">True</param>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Count over time" autoRun="False">
<param name="groupLabel">Count over time</param>
<param name="search">
index=_internal sourcetype=$sourcetype$ earliest=-1h@h| timechart count
</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>charting.chart</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<param name="charting.chart">area</param>
<module name="JSChart">
<param name="width">100%</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col2" group="Top sources in sourcetype" autoRun="False">
<param name="groupLabel">Top sources in sourcetype</param>
<param name="search">
index=_internal sourcetype=$sourcetype$ earliest=-1h@h| top source
</param>
<module name="ViewstateAdapter">
<param name="suppressionList"/>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">results</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="allowTransformedFieldSelect">True</param>
<param name="entityName">results</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
Still, even (especially?) in large environments you should get the time invested in an upgrade back quickly.
Do you have Sideview Utils on your Splunk(s)?
That is not as easiest as it sounds for us as we have over 200 Splunk servers in 13 separate instances. It is not as simple as dropping a rpm onto a server and running it.
You should really consider upgrading to Splunk 6.1. This kind of thing can now be built using the graphical SimpleXML editor in no time.