Hello,
I know quite good Splunk, at least the basic concepts. I have recently created a dashboard with few panels based on summary index searches. This dashboard helps me to get charts about a bunch of servers.
Because I have different group of servers around the world, I would like to generate the same kind of dashboards, but based on different servers.
It takes time to create all searches, and then the related dashboard. What is the best way to do the same for other group of servers ? Do I need to create everything manually ? Or does Splunk have another way based on templates to do the same ?
I wish I can create a dashboard template and call it with several parameters (like the name of the other group of servers for example) to generate my dashboard.
Thanks in advance for helping me to find the right way.
Yann
You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):
<form>
<label>Panel-defined search driven by select drop down</label>
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="dropdown" token="sourcetype">
<label>Sourcetype</label>
<suffix>*</suffix>
<populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
</input>
<input type="time" />
</fieldset>
<row>
<html>
<h1>Multi-panel linked form search</h1>
<p>This form search will dispatch 4 seperate searches, each listening
to the common 'sourcetype' text box input. This is useful for rendering
pages that collate disparate searches that share a common search keyword/token.
</p>
<p>
This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
</p>
<p>NOTE: because this page dispatches multiple searches, the JobStatus bar
does not appear.
</p>
</html>
</row>
<row>
<chart>
<title>KB Indexed over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
<option name="charting.chart">area</option>
</chart>
<table>
<title>average kbps over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
</table>
</row>
<row>
<table>
<title>Max events per second over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
<option name="count">20</option>
</table>
<chart>
<title>Average events per second over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.legend.placement">none</option>
</chart>
</row>
</form>
You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):
<form>
<label>Panel-defined search driven by select drop down</label>
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="dropdown" token="sourcetype">
<label>Sourcetype</label>
<suffix>*</suffix>
<populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
</input>
<input type="time" />
</fieldset>
<row>
<html>
<h1>Multi-panel linked form search</h1>
<p>This form search will dispatch 4 seperate searches, each listening
to the common 'sourcetype' text box input. This is useful for rendering
pages that collate disparate searches that share a common search keyword/token.
</p>
<p>
This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
</p>
<p>NOTE: because this page dispatches multiple searches, the JobStatus bar
does not appear.
</p>
</html>
</row>
<row>
<chart>
<title>KB Indexed over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
<option name="charting.chart">area</option>
</chart>
<table>
<title>average kbps over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
</table>
</row>
<row>
<table>
<title>Max events per second over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
<option name="count">20</option>
</table>
<chart>
<title>Average events per second over time</title>
<searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.legend.placement">none</option>
</chart>
</row>
</form>