I currently know of two ways to give people weekly and monthly data in a decent format.
Write two of every search with the range of one being a week and another being a month. Make two dashboards: one of all the week visualizations, one of all the month visualizations.
Use xml to generate drop down menus at the top of the page and then have the searches on that page be written in-line with variables that are decided by what the user selects on the drop down menu.
Both of those methods are half of what I want. Does anyone have something better than these two solutions? Method one takes up double the space all because of a time range. Method two makes the searches separate from everything except the exact dashboard they are on.
EDIT: Using Splunk 5.0.5 at a company. System isn't going to be updated until September
Thank you. The "technical" aspect I was referring to is the maintenance of my dashboards as well as the creation of more from future developers. I am not worried about the support team that will be navigating the dashboards from the user level.
BUT your confidence in method 2 has encouraged me to target that as the way to create these. Thank you guys
We use method 2 for most of our dashboards. Even the end users who are using the application can use the dashboards with out any user guides. Time filters like these are self explanatory. I think the KT sessions on how to use Method2 should be sufficient for others to get going.
There is other way that is to implement drilldown. First you will load monthly chart. Then clicking on the chart you will load another chart below the first chart to show that weeks' data. According to me this is little more complicated than your Method 2.
The visualization depends on the usecase as well 🙂
I am going to be passing all my work on in about 4 weeks and method 2, while being effective, seems very technical when compared to the use of saved searches. I can do it, but I feel maintenance down the road for other people would be rather difficult (that may be a false assumption). I will be doing method 2 if there is not a solution that I like more.
EDIT: I am also responsible for setting the foundation of standards in this system and I am worried that method 2 is a bit awkward when saved searches have so much support built in.
I agree with cons of method 1 which requires everything double because of two time ranges. Could you explain more on cons for Method 2? I am not sure if I got it all. (Method 2 is the one I use for most of my dashboards)
Maybe you can use the new "Zoom to another chart" feature to show a complete month of data and enable the user to drilldown to a time window they want to see (which can be a week). This feature is available since 6.1 if i remember correctly.