Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Make set of data easily searchable for users on a dashboard?

xxkenta
Explorer
‎12-18-2017 01:22 PM

I would like to make either an app/add-on or a dashboard so that users who use Splunk only for a specific set of logs can search that data easier.

I would like them to be able to select said app or dashboard and then enter in search data. Currently, the particular data is coming in from the same index as a lot of other data, and the users have to remember to search for a particular field, "process=a_process", in order for the rest of their data (ip address or username) to show relevant search data.

Which would be better for this case between an app or a dashboard? How can I configure it so that they do not need to enter in
this field for them to search for related data? Eventually graphs and visualizations will be added to the page.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-18-2017 11:48 PM

Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.

If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.

After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-18-2017 11:48 PM

Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.

If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.

After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...

Bye.
Giuseppe

Reply
Solved! Jump to solution

xxkenta
Explorer
‎12-19-2017 07:20 AM

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?

Thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-20-2017 12:00 AM

Hi xxkenta,

if your conditions are fixed you can use a fixed search, something like this

index=your_index process=a_process 10.10.10.10

and display _row.

If instead you want to choose different conditions, create one or more lookups for your conditions (e.g. processes.csv and perimeter.csv), and use one or more filters, e.g. a dropdown for process field and a dropdown for IPs, then in your search use something like this:

index=your_index process=$process$ IP=$IP$

where process and IP are two tokens from two dropdowns.

Anyway insert always a text box for free text searches, is very useful!

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

xxkenta
Explorer
‎12-19-2017 07:20 AM

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=a_process 10.10.10.10". How would I configure the app to assume this "process=a_process" so that the user only needs to search the ip address?

Thank you

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎12-18-2017 06:33 PM

seems like a good use case for "tags"
read here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Abouttagsandaliases
hope it helps

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...