Dashboards & Visualizations
Highlighted

Make set of data easily searchable for users on a dashboard?

Explorer

I would like to make either an app/add-on or a dashboard so that users who use Splunk only for a specific set of logs can search that data easier.

I would like them to be able to select said app or dashboard and then enter in search data. Currently, the particular data is coming in from the same index as a lot of other data, and the users have to remember to search for a particular field, "process=a_process", in order for the rest of their data (ip address or username) to show relevant search data.

Which would be better for this case between an app or a dashboard? How can I configure it so that they do not need to enter in
this field for them to search for related data? Eventually graphs and visualizations will be added to the page.

Thanks

0 Karma
Highlighted

Re: Make set of data easily searchable for users on a dashboard?

SplunkTrust
SplunkTrust

seems like a good use case for "tags"
read here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Abouttagsandaliases
hope it helps

0 Karma
Highlighted

Re: Make set of data easily searchable for users on a dashboard?

Legend

Hi xxkenta,
I usually create an App for each destination, I like this approach to have in one App all the knowledge objects (fields, tags, etc...) related to that problem.
In this case you'll have an App with at least one dashboard.

If I correctly undestood your need, we solved a similar problem creating an App (called Log Analyzer) used by developers that didn't know Splunk to debug their applications logs.
We have many logs and many flows, so we created a dashboard with some filters to identify the log flow to analyze (e.g. using sourcetype or source or host), in addition there's a text box to perform free text searches.
Result is _raw.

After I developed some dashboard to monitor inputs and understand volumes, perimeter, etc...

Bye.
Giuseppe

View solution in original post

Highlighted

Re: Make set of data easily searchable for users on a dashboard?

Explorer

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=aprocess 10.10.10.10". How would I configure the app to assume this "process=aprocess" so that the user only needs to search the ip address?

Thank you

0 Karma
Highlighted

Re: Make set of data easily searchable for users on a dashboard?

Explorer

Thank you. If I create an app for this, say a user wants to debug something related to an IP address 10.10.10.10. Normally they'd have to search "process=aprocess 10.10.10.10". How would I configure the app to assume this "process=aprocess" so that the user only needs to search the ip address?

Thank you

0 Karma
Highlighted

Re: Make set of data easily searchable for users on a dashboard?

Legend

Hi xxkenta,

if your conditions are fixed you can use a fixed search, something like this

index=your_index process=a_process 10.10.10.10

and display _row.

If instead you want to choose different conditions, create one or more lookups for your conditions (e.g. processes.csv and perimeter.csv), and use one or more filters, e.g. a dropdown for process field and a dropdown for IPs, then in your search use something like this:

index=your_index process=$process$ IP=$IP$

where process and IP are two tokens from two dropdowns.

Anyway insert always a text box for free text searches, is very useful!

Bye.
Giuseppe

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.