Splunk Search

How can I use a text input form to search through a table to narrow down results?

vil505
Explorer

This is probably simple, but how can I use the text input in a form to narrow down my results? I'm building a form that monitors the space used and the processes running on several servers. I would like to make it so the user can type in the PID to find the process they want. I'd also like to be able to search by name, if possible, but the PID take precedence.

Here is my xml code. The tables I want to filter the "Processes logged on" filter. Process is the name of the process.

<form>
  <label>Apigee Servers: Disk Space, Memory, and Performance</label>
  <fieldset submitButton="false">
    <input type="time" token="timetok">
      <label>Sets Time Range for Percent Space Used Charts</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="time" token="timetok2">
      <label>Sets Time Range for Process Tables</label>
      <default>
        <earliest>-15min@min</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>prdctlvapigee01 PercentUsedSpace</title>
      <chart>
        <title>Tracks the PercentUsedSpace on prdctlvapigee01</title>
        <search>
          <query>host=prdctlvapigee01 source=df MountedOn="/app"| timechart latest(PercentUsedSpace) as PercentUsedSpace</query>
          <earliest>$timetok.earliest$</earliest>
          <latest>$timetok.latest$</latest>
        </search>
        <option name="charting.legend.placement">right</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart">line</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsY.majorUnit">1</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
      </chart>
    </panel>
    <panel>
      <title>prdctlvapigee02 PercentUsedSpace since midnight</title>
      <chart>
        <title>Tracks the PercentUsedSpace on prdctlvapigee02</title>
        <search>
          <query>host=prdctlvapigee02 MountedOn="/app"| timechart latest(PercentUsedSpace) as PercentUsedSpace</query>
          <earliest>$timetok.earliest$</earliest>
          <latest>$timetok.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisLabelsY.majorUnit">1</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
      </chart>
    </panel>
    <panel>
      <title>prdctlvapigee03 PercentUsedSpace since midnight</title>
      <chart>
        <title>Tracks the PercentUsedSpace on prdctlvapigee03</title>
        <search>
          <query>host=prdctlvapigee03 MountedOn="/app"| timechart latest(PercentUsedSpace) as PercentUsedSpace</query>
          <earliest>$timetok.earliest$</earliest>
          <latest>$timetok.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisLabelsY.majorUnit">1</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>prdctlvapigee04 /app/pgdata PercentUsedSpace since midnight</title>
      <chart>
        <title>Tracks the PercentUsedSpace on prdctlvapigee04</title>
        <search>
          <query>host=prdctlvapigee04 MountedOn="/app/pgdata"| timechart latest(PercentUsedSpace) as PercentUsedSpacen</query>
          <earliest>$timetok.earliest$</earliest>
          <latest>$timetok.latest$</latest>
        </search>
        <option name="charting.legend.placement">right</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart">line</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsY.majorUnit">1</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
      </chart>
    </panel>
    <panel>
      <title>prdctlvapigee05 /app/pgdata PercentUsedSpace since midnight</title>
      <chart>
        <title>Tracks the PercentUsedSpace on prdctlvapigee05</title>
        <search>
          <query>host=prdctlvapigee05 MountedOn="/app/pgdata"| timechart latest(PercentUsedSpace) as PercentUsedSpace</query>
          <earliest>$timetok.earliest$</earliest>
          <latest>$timetok.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
        <option name="charting.axisLabelsY.majorUnit">1</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Processes logged on prdctlvapigee01 in set time period</title>
      <input type="text" token="field1"></input>
      <table>
        <title>Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee01</title>
        <search>
          <query>host=prdctlvapigee01 pid="*" source=ps| stats count by pid process</query>
          <earliest>$timetok2.earliest$</earliest>
          <latest>$timetok2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <title>Processes logged on prdctlvapigee02 in set time period</title>
      <input type="text" token="field2"></input>
      <table>
        <title>Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee02</title>
        <search>
          <query>host=prdctlvapigee02 pid="*" source=ps| stats count by pid process</query>
          <earliest>$timetok2.earliest$</earliest>
          <latest>$timetok2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Processes logged on prdctlvapigee03 in set time period</title>
      <input type="text" token="field3"></input>
      <table>
        <title>Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee03</title>
        <search>
          <query>host=prdctlvapigee03 pid="*" source=ps| stats count by pid process</query>
          <earliest>$timetok2.earliest$</earliest>
          <latest>$timetok2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <title>Processes logged on prdctlvapigee04 in set time period</title>
      <input type="text" token="field4"></input>
      <table>
        <title>Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee04</title>
        <search>
          <query>host=prdctlvapigee04 pid="*" source=ps| stats count by pid process</query>
          <earliest>$timetok2.earliest$</earliest>
          <latest>$timetok2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Processes logged on prdctlvapigee05 in set time period</title>
      <input type="text" token="field5"></input>
      <table>
        <title>Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee05</title>
        <search>
          <query>host=prdctlvapigee05 pid="*" source=ps| stats count by pid process</query>
          <earliest>$timetok2.earliest$</earliest>
          <latest>$timetok2.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
1 Solution

sundareshr
Legend

Set the token id and default for your text field as "txtPID_Tok" and "*" and in your search query for the table(s) add a pid=$txtPID_Tok$

View solution in original post

sundareshr
Legend

Set the token id and default for your text field as "txtPID_Tok" and "*" and in your search query for the table(s) add a pid=$txtPID_Tok$

vil505
Explorer

When I try that, I get a syntax error: Cannot find object mapper for panel type: default

Here is what I wrote:

  <row>
    <panel>
      <title>Processes logged on prdctlvapigee01 in set time period</title>
      <input type="text" token="txtPID_tok"></input>
        <default>*</default>
      <table>
        <title>Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee01</title>
        <search>
          <query>host=prdctlvapigee01 pid=$txtPID_tok$ source=ps| stats count by pid process</query>
0 Karma

sundareshr
Legend

default should be inside the input tag. Like this

<input type="text" token="txtPID_tok">
         <default>*</default>
</input>

vil505
Explorer

Well that was simple. Thank you so much!

Here's the xml code for reference.


Processes logged on prdctlvapigee01 in set time period


*


Reports the processes and their PIDs reported in the Splunk logs in the time you set, for prdctlvapigee01

host=prdctlvapigee01 pid=$txtPID_tok1$ source=ps| stats count by pid process
$timetok2.earliest$
$timetok2.latest$

true
false
none
cell
10

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...