Splunk Search

Create Dynamic URL for Splunk Search Dashboard URL

mayankaisera
Engager

I am working on creating a simple UI environment and want to include links to related Splunk search result web dashboard to make a more coherent experience for the user.

For example, say I have an incident named "Hello World"  in my simple UI and if the user clicks on Splunk from this simple UI, the user is navigated to Splunk Web Dashboard with the logs filtered by the keyword "Hello World".

I would very grateful if you could please share your thoughts on this and let me know if you have any questions.

Labels (1)
0 Karma

bowesmana
Super Champion

If you have a Splunk dashboard with an input text box with a token name 'search_data', then you can link to this dashboard with

https://yoursplunkhost/en-GB/app/search/web_dashboard?form.search_data=Hello%20World

where in the above URL, 'search' is the name of the Splunk app, web_dashboard is the name of your dashboard and all tokens you are passing in to that dashboard are prefixed with 'form.'

Your search in the dashboard would already need to have that search filter enabled as part of the search, so it would look something like

 

your search $search_data|s$

 

so here your input search filter token is added as part of the search query - note the |s at the end of the name will cause it to double quote the value of the search string, effectively the same as doing

"$search_data$"

Hope this helps.

 

mayankaisera
Engager

Thank you so much, this helps a lot. If possible, can you please also share two more URL sample for:

  • One where we are trying to filter the data by keyword and timestamp (therefore from date1 to date2)
  • One where we are trying to sort the results by the "time" column.
0 Karma

bowesmana
Super Champion

The same principle applies for all 'tokens' you want to pass in to the Splunk dashboard, they are just url parameters prefixed with 'form.'.  For example this url

https://yoursplunkhost/en-GB/app/app_name/dashboard?form.time_range.earliest=-30d%40d&form.time_rang...

will set the time picker token 'time_range' for

earliest=-30d@d
latest=now

and it will set the token named 'first_token' and 'second_token' as above.

Sorting is just managed in the search. By default Splunk will show you indexed events in reverse chronological order, so depending on what visualisation you are doing, you may not need to do any sorting, but Splunk sort is in a simple form

| sort fieldname

but check the docs for full details

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!