Splunk Search

Dashboard templates

ysouchon
Explorer

Hello,

I know quite good Splunk, at least the basic concepts. I have recently created a dashboard with few panels based on summary index searches. This dashboard helps me to get charts about a bunch of servers.

Because I have different group of servers around the world, I would like to generate the same kind of dashboards, but based on different servers.

It takes time to create all searches, and then the related dashboard. What is the best way to do the same for other group of servers ? Do I need to create everything manually ? Or does Splunk have another way based on templates to do the same ?

I wish I can create a dashboard template and call it with several parameters (like the name of the other group of servers for example) to generate my dashboard.

Thanks in advance for helping me to find the right way.

Yann

0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>

View solution in original post

mw
Splunk Employee
Splunk Employee

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...