Splunk Search

Dropdown creation and configuration for a dashbaord

shabdadev
Engager

Hi,

I wrote one simple query

index=nmon host=* type=DISKXFER | timechart avg(value) by host

and created a dashbaord with time filter option also.

Now i want to add a dropdown ,but no where i am finding explanation for the fields represented in dropdown edit section and also i am not sure how to connect the drop down with the dashboard panel so that once time range and drop down value is selected ,.....data should populate in the dashboard .

I want to implement this logic with multiple panels ..so that once i select a set of server suppose "search server" from drop down..it should populate the values for those servers.

Tags (1)
0 Karma

niketn
Legend

Here is an example based off Splunk's internal index.
It created Dropdown for Sourcetypes to be used across dashboard. It also has a Time control to allow specifying earliest and latest time for dropdown and the panels. I have added Time Control the example just to show that timerange for a Dynamic Query in dropdown can be specified only in the inline search using command like thisearliest=$tok_time.earliest$ latest=$tok_time.latest$

<form>
  <label>Splunk Answers 505259</label>
  <fieldset submitButton="false">
    <input type="time" token="tok_time" searchWhenChanged="true">
      <label>Global Time Selector</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok_sourcertype" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal sourcetype=*
earliest=$tok_time.earliest$ latest=$tok_time.latest$
| dedup sourcetype
| sort sourcetype
| table sourcetype</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1</title>
      <chart>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Besides basic form input elements you should also consider reading
Input Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference
and also Token Usage in Dashboards which also covers Search Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

Ideally, the scenario for example used here is suitable for post processing as same stats query is used in two places. So the underlying query to pull stats will run only once. However, post processing should be applied as per use case as it has its limitations and guidelines as well. (http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@shabdadev were you able to try out the example? Is your issue resolved?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

Hi shabdadev,
This doc can get you started: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms
It has good code examples. Also, teh dashboard examples app is very useful, you can download it here:
https://splunkbase.splunk.com/app/1603/
Hope it helps

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...