I would like to make either an app/add-on or a dashboard so that users who use Splunk only for a specific set of logs can search that data easier.
I would like them to be able to select said app or dashboard and then enter in search data. Currently, the particular data is coming in from the same index as a lot of other data, and the users have to remember to search for a particular field, "process=a_process", in order for the rest of their data (ip address or username) to show relevant search data.
Which would be better for this case between an app or a dashboard? How can I configure it so that they do not need to enter in
this field for them to search for related data? Eventually graphs and visualizations will be added to the page.
Thanks
Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.
If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.
After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...
Bye.
Giuseppe
Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.
If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.
After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...
Bye.
Giuseppe
Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?
Thank you
Hi xxkenta,
if your conditions are fixed you can use a fixed search, something like this
index=your_index process=a_process 10.10.10.10
and display _row.
If instead you want to choose different conditions, create one or more lookups for your conditions (e.g. processes.csv and perimeter.csv), and use one or more filters, e.g. a dropdown for process field and a dropdown for IPs, then in your search use something like this:
index=your_index process=$process$ IP=$IP$
where process and IP are two tokens from two dropdowns.
Anyway insert always a text box for free text searches, is very useful!
Bye.
Giuseppe
Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?
Thank you
seems like a good use case for "tags"
read here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Abouttagsandaliases
hope it helps