Dashboards & Visualizations

Is it possible to populate a drop-down with indexes that belong to a certain app in Splunk?

Explorer

I configured our Splunk environment to allow for indexes to be set up via the Rest API. As part of this, you can specify which "app" an index should "belong" to.

As an example of what I would like to achieve...

If I created the following indexes:

Index Name   App Name
index1       app1
index2       app1
index3       app2
index4       app1 
index5       app2

I want to be able to create a drop-down search on a dashboard that is part of app1 which will return a list of indexes that belong to that app. In this case, the drop-down would include; index1, index2 and index4.

Is this possible?

0 Karma
1 Solution

Legend

The specification for an index is stored in indexes.conf. The indexes.conf file belongs to an app.

However, the index that is created from the specification does not belong to any app.

AFAIK, there is no search that you can run that will return a list of the indexes along with where they were specified. But that might be possible with a REST API call. You would probably need to iterate over all the index configurations across all apps - it would probably be pretty ugly. I can't see it as a reasonable search to build a dashboard drop-down.

If the list is fairly static, you could put it in a lookup file. Then just use the lookup file (with the inputlookup command) to populate the drop-down. This is more flexible than hard-coding the list.

View solution in original post

0 Karma

Legend

The specification for an index is stored in indexes.conf. The indexes.conf file belongs to an app.

However, the index that is created from the specification does not belong to any app.

AFAIK, there is no search that you can run that will return a list of the indexes along with where they were specified. But that might be possible with a REST API call. You would probably need to iterate over all the index configurations across all apps - it would probably be pretty ugly. I can't see it as a reasonable search to build a dashboard drop-down.

If the list is fairly static, you could put it in a lookup file. Then just use the lookup file (with the inputlookup command) to populate the drop-down. This is more flexible than hard-coding the list.

View solution in original post

0 Karma

Explorer

Thank you for the response Iguinn. That is as I thought sadly.

Fortunately though, your REST API suggestion has got me thinking about this another way.. For the indexes that I am looking to return I know they will have been created through the REST API and as part of the script that calls the API I output the name of the index being created to a text file. If I read this file into Splunk (either as lookup or as a file Splunk monitors) I will have my list of indexes. I think this will give me quite a nice solution.

One other thing I have found is | dbinspect index=* and I can potentially search on path to find the index names.... just seems a bit of a unclean solution. If you look at the indexes in the ui it does seem to suggest that an index relates to the app it was created in and this information must be held somewhere - I just can't figure out where.

0 Karma

Legend

The indexes.conf file is stored in the directory tree under the app name. Since Splunk knows the location of the file, it populates the UI based on the directory name.

0 Karma

Explorer

That would explain why I can find where the information is stored. I have got my API solution working now though so will just have to stick with that.

Thank you for your help with this.

0 Karma