Splunk Search

Dropdown creation and configuration for a dashbaord

shabdadev
Engager

Hi,

I wrote one simple query

index=nmon host=* type=DISKXFER | timechart avg(value) by host

and created a dashbaord with time filter option also.

Now i want to add a dropdown ,but no where i am finding explanation for the fields represented in dropdown edit section and also i am not sure how to connect the drop down with the dashboard panel so that once time range and drop down value is selected ,.....data should populate in the dashboard .

I want to implement this logic with multiple panels ..so that once i select a set of server suppose "search server" from drop down..it should populate the values for those servers.

Tags (1)
0 Karma

niketn
Legend

Here is an example based off Splunk's internal index.
It created Dropdown for Sourcetypes to be used across dashboard. It also has a Time control to allow specifying earliest and latest time for dropdown and the panels. I have added Time Control the example just to show that timerange for a Dynamic Query in dropdown can be specified only in the inline search using command like thisearliest=$tok_time.earliest$ latest=$tok_time.latest$

<form>
  <label>Splunk Answers 505259</label>
  <fieldset submitButton="false">
    <input type="time" token="tok_time" searchWhenChanged="true">
      <label>Global Time Selector</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok_sourcertype" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal sourcetype=*
earliest=$tok_time.earliest$ latest=$tok_time.latest$
| dedup sourcetype
| sort sourcetype
| table sourcetype</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1</title>
      <chart>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Besides basic form input elements you should also consider reading
Input Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference
and also Token Usage in Dashboards which also covers Search Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

Ideally, the scenario for example used here is suitable for post processing as same stats query is used in two places. So the underlying query to pull stats will run only once. However, post processing should be applied as per use case as it has its limitations and guidelines as well. (http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@shabdadev were you able to try out the example? Is your issue resolved?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

Hi shabdadev,
This doc can get you started: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms
It has good code examples. Also, teh dashboard examples app is very useful, you can download it here:
https://splunkbase.splunk.com/app/1603/
Hope it helps

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...