Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a multi drop-down dashboard?

erazz
New Member
‎02-06-2017 06:24 AM

I'm wanting to create a dashboard/form to filter results by 2 or 3 different criteria. I've been looking through some of the walk through's but I am very new to XML (every example I find is all based off of XML) and haven't quite been able to find the right way to do it. This won't be a graph, but filtering event details.

For example: the fields I have in my initial search string are pluginID, pluginName, severity, dnsName, ip, description, pluginText and display both critical and high severity. I'd like to be able to filter between IP address (this wouldn't be static, so i can provide a range, its just whatever is in the results), Severity (this looks like it would be a multiselect input) and possibly family, but having some issues getting that syntax to work.

So just looking for some guidance on where to start other then creating the drop downs and such. Thanks!

0 Karma
Reply

horsefez
Motivator
‎02-06-2017 09:09 AM

Hi,

I can give you an example from one of my dashboards I've created. This could give you hints to solving your problem.

I have a dashboard that gets populated by the choices you make in the dropdown and radio fields. The radio fields also change depending on the choice you do on the dropdown field.

<form>
  <label>Dashboard_ABC</label>
  <description>this is splunk!</description>
  <row>
    <panel>
      <input type="dropdown" token="field_1">
        <label>somelabel</label>
        <default>Splunk</default>
        <fieldForLabel>Application</fieldForLabel>
        <fieldForValue>field_1</fieldForValue>
        <search>
          <query>index=someindex | dedup field_1 | sort field_1</query>
          <earliest>-60d</earliest>
          <latest>now</latest>
        </search>
      </input>
      <input type="radio" token="field_2" searchWhenChanged="true">
        <label>someotherlabel</label>
        <fieldForLabel>Alert_Category</fieldForLabel>
        <default>*</default>
        <choice value="*">All ________________________________________________________________________________________</choice>
        <fieldForValue>field_2</fieldForValue>
        <search>
          <query>index=someindex field_1="$field_1$" | dedup field_2 | sort field_2</query>
          <earliest>-60d</earliest>
          <latest>now</latest>
        </search>
      </input>
    </panel>
</form>

alt text

Maybe this will help you a bit.

Regards,
pyro_wood

Preview file
24 KB
0 Karma
Reply

erazz
New Member
‎02-06-2017 09:40 AM

Thanks for the response. Which is the line for how the results are displayed? I'm assuming I would need to add into where the results are given table pluginID,pluginName,severity,dnsName,ip,description,pluginText ,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...