Dashboards & Visualizations

Make set of data easily searchable for users on a dashboard?

xxkenta
Explorer

I would like to make either an app/add-on or a dashboard so that users who use Splunk only for a specific set of logs can search that data easier.

I would like them to be able to select said app or dashboard and then enter in search data. Currently, the particular data is coming in from the same index as a lot of other data, and the users have to remember to search for a particular field, "process=a_process", in order for the rest of their data (ip address or username) to show relevant search data.

Which would be better for this case between an app or a dashboard? How can I configure it so that they do not need to enter in
this field for them to search for related data? Eventually graphs and visualizations will be added to the page.

Thanks

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.

If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.

After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.

If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.

After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...

Bye.
Giuseppe

xxkenta
Explorer

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi xxkenta,

if your conditions are fixed you can use a fixed search, something like this

index=your_index process=a_process 10.10.10.10

and display _row.

If instead you want to choose different conditions, create one or more lookups for your conditions (e.g. processes.csv and perimeter.csv), and use one or more filters, e.g. a dropdown for process field and a dropdown for IPs, then in your search use something like this:

index=your_index process=$process$ IP=$IP$

where process and IP are two tokens from two dropdowns.

Anyway insert always a text box for free text searches, is very useful!

Bye.
Giuseppe

0 Karma

xxkenta
Explorer

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?

Thank you

0 Karma

adonio
Ultra Champion

seems like a good use case for "tags"
read here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Abouttagsandaliases
hope it helps

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...