Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dropdown creation and configuration for a dashbaord

shabdadev
Engager
‎02-23-2017 01:15 AM

Hi,

I wrote one simple query

index=nmon host=* type=DISKXFER | timechart avg(value) by host

and created a dashbaord with time filter option also.

Now i want to add a dropdown ,but no where i am finding explanation for the fields represented in dropdown edit section and also i am not sure how to connect the drop down with the dashboard panel so that once time range and drop down value is selected ,.....data should populate in the dashboard .

I want to implement this logic with multiple panels ..so that once i select a set of server suppose "search server" from drop down..it should populate the values for those servers.

Tags (1)
0 Karma
Reply

niketn
Legend
‎03-06-2017 12:32 PM

Here is an example based off Splunk's internal index.
It created Dropdown for Sourcetypes to be used across dashboard. It also has a Time control to allow specifying earliest and latest time for dropdown and the panels. I have added Time Control the example just to show that timerange for a Dynamic Query in dropdown can be specified only in the inline search using command like thisearliest=$tok_time.earliest$ latest=$tok_time.latest$

<form>
  <label>Splunk Answers 505259</label>
  <fieldset submitButton="false">
    <input type="time" token="tok_time" searchWhenChanged="true">
      <label>Global Time Selector</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok_sourcertype" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal sourcetype=*
earliest=$tok_time.earliest$ latest=$tok_time.latest$
| dedup sourcetype
| sort sourcetype
| table sourcetype</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1</title>
      <chart>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Besides basic form input elements you should also consider reading
Input Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference
and also Token Usage in Dashboards which also covers Search Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

Ideally, the scenario for example used here is suitable for post processing as same stats query is used in two places. So the underlying query to pull stats will run only once. However, post processing should be applied as per use case as it has its limitations and guidelines as well. (http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎03-10-2017 11:43 PM

@shabdadev were you able to try out the example? Is your issue resolved?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

adonio
Ultra Champion
‎03-06-2017 06:39 AM

Hi shabdadev,
This doc can get you started: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms
It has good code examples. Also, teh dashboard examples app is very useful, you can download it here:
https://splunkbase.splunk.com/app/1603/
Hope it helps

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...