Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Form vs. View for Multiple Result Sets

Eldad
Explorer
‎10-25-2010 12:01 PM

Hi,

My event data consists of HTTP requests. My goal is to build a view that includes: 1) A drop down to choose a Host header value 2) A line chart for the selected Host header related events that displays the number of unique requests for each source IP each day 3) Another chart that displays another flavor of the data

When trying to do this with a search form I hit a wall when trying to take the form search results and get something else out of them. The basic search results are the requests associated with a certain Host header value and I was trying to create a chart for the number of unique page hist by IP. I did this by adding a chart where charting.data.search="timechart span=1d count(url) by source_ip". This did not work and the chart was not displayed correctly, making me think that this is not the way i was supposed to use charting.data.search.

So the question is what is the best way to build such a screen (form or view) and how do i achieve that (did not find the documentation taking me through this).

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-27-2010 02:35 AM

1) there is significant documentation at splunk.com - eg: http://www.splunk.com/base/Documentation/latest/Developer/FormIntro

Quite possibly you've just been looking in the wrong place? eg: setting the property charting.data.search is a very advanced thing to do additional filtering and is not at all how you set the main search.

2) or if you'd rather tinker with living breathing examples you can pull down the UI Exampels app and learn in a more hands on fashion. It sounds like this might be the way to go for you (since you somehow went straight to the advanced charting documentation)

To do this:
go to the "Launcher" app,
within Launcher, go to "Browse more apps",
then scroll down until you get to "UI Examples for 4.1".
Install that app and once it's installed go to it and start reading through the examples. You'll find a number of examples talking about building different kinds of views in both the simplified XML (ie <form> and <dashboard>) as well as the advanced XML (ie <view>)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-27-2010 02:35 AM

1) there is significant documentation at splunk.com - eg: http://www.splunk.com/base/Documentation/latest/Developer/FormIntro

Quite possibly you've just been looking in the wrong place? eg: setting the property charting.data.search is a very advanced thing to do additional filtering and is not at all how you set the main search.

2) or if you'd rather tinker with living breathing examples you can pull down the UI Exampels app and learn in a more hands on fashion. It sounds like this might be the way to go for you (since you somehow went straight to the advanced charting documentation)

To do this:
go to the "Launcher" app,
within Launcher, go to "Browse more apps",
then scroll down until you get to "UI Examples for 4.1".
Install that app and once it's installed go to it and start reading through the examples. You'll find a number of examples talking about building different kinds of views in both the simplified XML (ie <form> and <dashboard>) as well as the advanced XML (ie <view>)

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...