Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a result to aid in an ongoing search to display on a Dashboard

kisa
Explorer
‎07-30-2013 12:48 AM

Hi,

My main goal is to build a Dashboard/Form that accepts a user input of a filename. The Dashboard/Form then filters through the logs to display the movement of a file across numerous processes, displaying the filename and the processors name it goes through.

Doing the initial search by filename and displaying the logs retrieved (including the processors name) is pretty straight forward (I did this using a Form to allow a user input.

The problem I'm having is that in some of the processes the files name gets changed. The following steps outline what's happening and what I'd like displayed (the Splunk filtering steps/methods are only suggestive). Bold line depicting what would be shown in the Dashboard/form.

  • User inputs filename as "Filename1" and clicks search
  • Splunk searches logs and starts displaying results in order of date/time. E.G:-

30 July 2013 1100 Process1 filename=Filename1

  • Splunk checks log for new filname "False"

30 July 2013 1101 Process2 filename=Filename1

  • Splunk checks log for new filname "False"

30 July 2013 1102 Process3 filename=Filename1 newFilename=Filename2

  • Splunk checks log for new filname "True"
  • Continue search with new filename and display logs relating to new filename

30 July 2013 1103 Process4 filename=Filename2

  • Splunk checks log for new filname "False"

30 July 2013 1104 Process5 filename=Filename2 newFilename=Filename3

  • Splunk checks log for new filname "True"
  • Continue search with new filename and display logs relating to new filename

30 July 2013 1105 Process6 filename=Filename3

Sorry if it seems a bit long winded, that was the best way I could think of to explain it 🙂

Any help in how to construct such a Dashboard in either Simple or Advanced XML would be much appreciated.

I say this as it's looking like I will be required to become proficient in Splunk Dashboard creation and it was suggested that if I'm heading down that path that I should learn Advanced XML.
So I'm happy to hear any thoughts regarding that advice 🙂

Thanks and regards,

Mark

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎08-02-2013 12:01 PM

I tried to make a custom command because it could not be resolved in the search command.
It is a simple command that only support data of the sample.


Date,Process,Filename,NewFilename
"2013/8/2 10:59",Process1,Filename0,
"2013/8/2 11:01",Process2,Filename1,
"2013/8/2 11:02",Process3,Filename1,Filename2
"2013/8/2 11:03",Process4,Filename2,
"2013/8/2 11:04",Process5,Filename2,Filename3
"2013/8/2 11:05",Process6,Filename3,
"2013/8/2 11:06",Process7,Filename4,
"2013/8/2 11:07",Process8,Filename5,
"2013/8/2 11:08",Process9,Filename6,


・・・・・・・|sort _time asec| myselect filename="Filename1"


[myselect]
filename = myselect.py


import sys,splunk.Intersplunk
from splunk.Intersplunk import getOrganizedResults, outputResults, getKeywordsAndOptions

results,dummyresults,settings = getOrganizedResults()
args, keyValues = getKeywordsAndOptions()

if keyValues.has_key('filename') == False:
print "Usage: | myselect filename=[filename]"
outputResults(results)
sys.exit(0)

saveFilename = keyValues['filename']

newresults = []
for result in results:
if result['Filename'] == saveFilename:
newresults.append(result)
if len(result['NewFilename']) > 0:
saveFilename = result['NewFilename']
splunk.Intersplunk.outputResults(newresults)

View solution in original post

Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-03-2013 03:33 AM

This is a sample of the dashboard. Please correct the search statement.

<?xml version='1.0' encoding='utf-8'?>

<label>Myselect</label>
<searchTemplate>
    source="Process.csv" |sort _time asec| myselect filename=$Filename$
</searchTemplate>

<fieldset>

    <input type="dropdown" token="Filename">
        <label>Target Filename</label>
            <populatingSearch fieldForValue="Filename" fieldForLabel="Filename">
                <![CDATA[source="Process.csv" |table Filename|dedup Filename|sort Filename|where Filename!="Filename"]]>
            </populatingSearch>
    </input>

</fieldset>



Time Recorder
50
true


Reply
Solved! Jump to solution

kisa
Explorer
‎08-04-2013 05:21 AM

Sorry, I hadn't forgot, just hadn't had a chance to test it. I'll check it now, but I can't guarantee I won't ask more questions 🙂

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-04-2013 04:37 AM

Please give me a check at the top left of the answer you have resolved.

0 Karma
Reply
Solved! Jump to solution

kisa
Explorer
‎08-03-2013 05:23 AM

Excellent, thank you again HiroshiSatch.

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎08-02-2013 12:01 PM

I tried to make a custom command because it could not be resolved in the search command.
It is a simple command that only support data of the sample.


Date,Process,Filename,NewFilename
"2013/8/2 10:59",Process1,Filename0,
"2013/8/2 11:01",Process2,Filename1,
"2013/8/2 11:02",Process3,Filename1,Filename2
"2013/8/2 11:03",Process4,Filename2,
"2013/8/2 11:04",Process5,Filename2,Filename3
"2013/8/2 11:05",Process6,Filename3,
"2013/8/2 11:06",Process7,Filename4,
"2013/8/2 11:07",Process8,Filename5,
"2013/8/2 11:08",Process9,Filename6,


・・・・・・・|sort _time asec| myselect filename="Filename1"


[myselect]
filename = myselect.py


import sys,splunk.Intersplunk
from splunk.Intersplunk import getOrganizedResults, outputResults, getKeywordsAndOptions

results,dummyresults,settings = getOrganizedResults()
args, keyValues = getKeywordsAndOptions()

if keyValues.has_key('filename') == False:
print "Usage: | myselect filename=[filename]"
outputResults(results)
sys.exit(0)

saveFilename = keyValues['filename']

newresults = []
for result in results:
if result['Filename'] == saveFilename:
newresults.append(result)
if len(result['NewFilename']) > 0:
saveFilename = result['NewFilename']
splunk.Intersplunk.outputResults(newresults)

Reply
Solved! Jump to solution

kisa
Explorer
‎08-02-2013 08:08 PM

Thank you very much for your reply HiroshSatoh. I've never used Python in Splunk before, so I'll need to work out how it's incorporated into a Dashboard.

But from my initial peruse over the code it does look promising :). I'll let you know how I go.

Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...