Getting Data In

Static drop down menu for dashboard isn't working, need help.

pladamsplunk
Explorer

I've created a dashboard which can read pageviews the number of users for an application the most frequent users. I'm trying to create a drop down menu which will narrow the searches in the dashboard down by a field extracted (application) so that users can see the dashboards as they pertain to their specific app. I created one but for some reason its not functioning.

0 Karma
1 Solution

woodcock
Esteemed Legend

You need to actually use the token inside of your search, like this:

<searchString>index=isamdev eventtype=pageview_usportal http_method=GET $Isam_app$ user="*" http_request="*" | stats count AS Pages, dc(user) AS Users | eval "Pages/User"=Pages/Users</searchString>

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need to actually use the token inside of your search, like this:

<searchString>index=isamdev eventtype=pageview_usportal http_method=GET $Isam_app$ user="*" http_request="*" | stats count AS Pages, dc(user) AS Users | eval "Pages/User"=Pages/Users</searchString>
0 Karma

pladamsplunk
Explorer

thank you for spotting my mistake. It works now

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Just a note: that style of XML is deprecated in at least 6.4, and I think 6.3 (iirc) Here is the updated xml:

<search>
    <query>index=isamdev eventtype=pageview_usportal user="*" http_request="*" | timechart dc(http_request) AS Pageviews</query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
  </search>
0 Karma

woodcock
Esteemed Legend

Downlaod the dashboard examples app and check out the Dropdown Form Input Element example:

https://splunkbase.splunk.com/app/1603/

0 Karma

pladamsplunk
Explorer

Within the Static options area i have 'all' with value *, and app1 and app2 with their respective field values for the app. for my token I used 'fieldname' and for the token prefix i have the 'fieldname='.

The issue is that when i switch from app1 and app2 it doesn't try and re-search. My 'search of change' box is also checked.

0 Karma

woodcock
Esteemed Legend

Post your dashboard XML. How are we supposed to help otherwise?

0 Karma

pladamsplunk
Explorer

What do you think?

0 Karma

pladamsplunk
Explorer

Visitor Information

<input type="time" token="field1">
  <label/>
  <default>
    <earliestTime>0</earliestTime>
    <latestTime/>
  </default>
</input>
<input type="dropdown" token="Isam_app" searchWhenChanged="true">
  <label>Application</label>
  <choice value="herculesct">herculesct</choice>
  <choice value="*">All</choice>
  <choice value="databusqa">databusqa</choice>
  <prefix>Isam_app=</prefix>
  <default>*</default>
</input>


<panel>
  <table>
    <title>Pages and User Information</title>
    <searchString>index=isamdev eventtype=pageview_usportal http_method=GET user="*" http_request="*" | stats count AS Pages, dc(user) AS Users | eval "Pages/User"=Pages/Users</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <chart>
    <title>Top Users</title>
    <searchString>index=isamdev eventtype=pageview_usportal NOT unauthenticated user="*" | top limit=5 user</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">false</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">pie</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Pageviews</title>
    <searchString>index=isamdev eventtype=pageview_usportal user="*" http_request="*" | timechart dc(http_request) AS Pageviews</searchString>
    <earliestTime>$field1.earliest$</earliestTime>
    <latestTime>$field1.latest$</latestTime>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">false</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">line</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>
0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...