Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Nested search in form based dashboard panel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jangid
Builder
08-15-2012
05:44 AM
My XML for form based dashboard panel is
<form>
<label>Job Statistics</label>
<fieldset autoRun="true">
<input type="time" searchWhenChanged="true">
<default>Last 7 Days</default>
</input>
<input type="dropdown" token="JT_JOB_NAME">
<label>Select Job Name</label>
<populatingSearch fieldForValue="JT_JOB_NAME" fieldForLabel="JT_JOB_NAME">
<![CDATA[eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table JT_JOB_NAME | dedup JT_JOB_NAME | sort JT_JOB_NAME ]]>
</populatingSearch>
</input>
<input type="dropdown" token="JT_JOB_NAME">
<label>Select Job ID</label>
<populatingSearch fieldForValue="JT_JOB" fieldForLabel="JT_JOB">
<![CDATA[eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table JT_JOB, JT_JOB_NAME | where JT_JOB_NAME="$JT_JOB_NAME$" | dedup JT_JOB | fields - JT_JOB_NAME | sort JT_JOB ]]>
</populatingSearch>
</input>
</fieldset>
<row>
<chart>
<searchTemplate>
<![CDATA[ eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table _time JT_JOB, THROUGHPUT | where JT_JOB="$JT_JOB$" AND JT_JOB="$JT_JOB_NAME$" | timechart count(THROUGHPUT)]]>
</searchTemplate>
<label>Throughtput for $JT_JOB$ </label>
<option name="charting.chart">line</option>
<option name="charting.primaryAxisTitle.text">Time</option>
<option name="charting.secondaryAxisTitle.text">Throughput</option>
</chart>
</row>
</form>
How Do I fill 2nd drop down based on first one?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tfletcher_splun
Splunk Employee
08-15-2012
11:53 AM
You're going to need to convert to advanced xml most likely. I have done everything except the timerange picker:
<view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="viewconf" onunloadCancelJobs="true" template="dashboard.html">
<label>Job Statistics</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchSelectLister" layoutPanel="mainSearchControls" group="appViewControls" autoRun="true">
<param name="search"><![CDATA[eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table JT_JOB_NAME | dedup JT_JOB_NAME | sort JT_JOB_NAME ]]></param>
<param name="label">Select Job Name</param>
<param name="settingToCreate">JT_JOB_NAME_setting</param>
<param name="searchFieldsToDisplay">
<list>
<param name="value">JT_JOB_NAME</param>
<param name="label">JT_JOB_NAME</param>
</list>
</param>
<param name="earliest">0</param>
<module name="ConvertToIntention">
<param name="settingToConvert">JT_JOB_NAME_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="app">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SearchSelectLister" group="appViewControls">
<param name="search"><![CDATA[eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table JT_JOB, JT_JOB_NAME | where JT_JOB_NAME="$JT_JOB_NAME$" | dedup JT_JOB | fields - JT_JOB_NAME | sort JT_JOB ]]></param>
<param name="label">Select Job ID</param>
<param name="settingToCreate">JT_JOB_setting</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="value">JT_JOB</param>
<param name="label">JT_JOB</param>
</list>
</param>
<param name="earliest">0</param>
<module name="ConvertToIntention">
<param name="settingToConvert">JT_JOB_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="view">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SubmitButton" group="appViewControls">
<param name="label">Search</param>
<!-- Overall View Loadtime -->
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Overall View Performance">
<param name="search"><![CDATA[ eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table _time JT_JOB, THROUGHPUT | where JT_JOB="$JT_JOB$" AND JT_JOB="$JT_JOB_NAME$" | timechart count(THROUGHPUT)]]></param>
<param name="earliest">0</param>
<module name="HiddenChartFormatter">
<param name="legend.placement">None</param>
<param name="secondaryAxisTitle.text">Throughput</param>
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
You may find this link helpful:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/AdvancedDashboard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tfletcher_splun
Splunk Employee
08-15-2012
11:53 AM
You're going to need to convert to advanced xml most likely. I have done everything except the timerange picker:
<view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="viewconf" onunloadCancelJobs="true" template="dashboard.html">
<label>Job Statistics</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchSelectLister" layoutPanel="mainSearchControls" group="appViewControls" autoRun="true">
<param name="search"><![CDATA[eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table JT_JOB_NAME | dedup JT_JOB_NAME | sort JT_JOB_NAME ]]></param>
<param name="label">Select Job Name</param>
<param name="settingToCreate">JT_JOB_NAME_setting</param>
<param name="searchFieldsToDisplay">
<list>
<param name="value">JT_JOB_NAME</param>
<param name="label">JT_JOB_NAME</param>
</list>
</param>
<param name="earliest">0</param>
<module name="ConvertToIntention">
<param name="settingToConvert">JT_JOB_NAME_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="app">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SearchSelectLister" group="appViewControls">
<param name="search"><![CDATA[eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table JT_JOB, JT_JOB_NAME | where JT_JOB_NAME="$JT_JOB_NAME$" | dedup JT_JOB | fields - JT_JOB_NAME | sort JT_JOB ]]></param>
<param name="label">Select Job ID</param>
<param name="settingToCreate">JT_JOB_setting</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="value">JT_JOB</param>
<param name="label">JT_JOB</param>
</list>
</param>
<param name="earliest">0</param>
<module name="ConvertToIntention">
<param name="settingToConvert">JT_JOB_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="view">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SubmitButton" group="appViewControls">
<param name="label">Search</param>
<!-- Overall View Loadtime -->
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Overall View Performance">
<param name="search"><![CDATA[ eventtype=counters_jt | rex "(?i)^[^\[]*\[\w+\]\s+\[(?P<JT_JOB_NAME>[^\]]+)" | table _time JT_JOB, THROUGHPUT | where JT_JOB="$JT_JOB$" AND JT_JOB="$JT_JOB_NAME$" | timechart count(THROUGHPUT)]]></param>
<param name="earliest">0</param>
<module name="HiddenChartFormatter">
<param name="legend.placement">None</param>
<param name="secondaryAxisTitle.text">Throughput</param>
<param name="chart">line</param>
<param name="primaryAxisTitle.text">Time</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
You may find this link helpful:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/AdvancedDashboard
Get Updates on the Splunk Community!
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...
Overwhelmed SOC? Splunk ES Has Your Back
Tool sprawl, alert fatigue, and endless context switching are making ...
What’s New & Next in Splunk SOAR
Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us on ...
