Splunk Search

How to add a form for user input on a dashboard to only run panel searches for data from certain hosts?

raindrop18
Communicator

I have a dashboard using multiple sources and I would like to replace the fixed host input ( host=prdo*) with manual input by a user. This way, a user can add one or more host names and the dashboard will give all the statuses for that option. Is that possible?

Panel =1

index=prod* source=prodLog host=pr*-* "timeout" OR "error" OR "timed-out" OR "exception" AND NOT "step*time" | timechart count as timeout span=1h

Panel = 2

index=aws-production source=prodLog host=pr*-* "green" OR "blue" OR "red" AND NOT "white" | timechart count as Colorstatus span=1h

Currently, the dashboard extracts data from all hosts. My objective is for users to be able to search from the host they are interested in. Also, this will be great if this input can be used/shared on all panels just like "time range selector".

0 Karma
1 Solution

gyslainlatsa
Motivator

hi,

try with this example

<form>
  <label>-------------------------------</label>
  <description>----------------------------------------</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="tm" searchWhenChanged="true">
      <label>Select a time:</label>
      <default>Last 24 hours</default>
    </input>

  <input type="text" token="host_name" searchWhenChanged="true">
    <label>Enter a host:</label>
    <default>pr*-*</default>
  </input>

</fieldset>
  <row>
    <chart>
      <title>Panel1</title>
      <search>
        <query>index=prod* source=prodLog host=$host_name$ "timeout" OR "error" OR "timed-out" OR "exception" AND NOT "step*time"
       | timechart count as timeout span=1h</query>
      </search>
      <earliestTime>$tm.earliestTime$</earliestTime>
      <latestTime>$tm.latestTime$</latestTime>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Panel2</title>
      <search>
        <query>index=aws-production source=prodLog host=$host_name$" green" OR "blue" OR "red" AND NOT "white" 
         | timechart count as Colorstatus span=1h</query>
      </search>
      <earliestTime>$tm.earliestTime$</earliestTime>
      <latestTime>$tm.latestTime$</latestTime>
      <option name="wrap">true</option>
      <option name="displayRowNumbers">true</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">5</option>
    </table>
  </row>
</form>

View solution in original post

gyslainlatsa
Motivator

hi,

try with this example

<form>
  <label>-------------------------------</label>
  <description>----------------------------------------</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="tm" searchWhenChanged="true">
      <label>Select a time:</label>
      <default>Last 24 hours</default>
    </input>

  <input type="text" token="host_name" searchWhenChanged="true">
    <label>Enter a host:</label>
    <default>pr*-*</default>
  </input>

</fieldset>
  <row>
    <chart>
      <title>Panel1</title>
      <search>
        <query>index=prod* source=prodLog host=$host_name$ "timeout" OR "error" OR "timed-out" OR "exception" AND NOT "step*time"
       | timechart count as timeout span=1h</query>
      </search>
      <earliestTime>$tm.earliestTime$</earliestTime>
      <latestTime>$tm.latestTime$</latestTime>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Panel2</title>
      <search>
        <query>index=aws-production source=prodLog host=$host_name$" green" OR "blue" OR "red" AND NOT "white" 
         | timechart count as Colorstatus span=1h</query>
      </search>
      <earliestTime>$tm.earliestTime$</earliestTime>
      <latestTime>$tm.latestTime$</latestTime>
      <option name="wrap">true</option>
      <option name="displayRowNumbers">true</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">5</option>
    </table>
  </row>
</form>

raindrop18
Communicator

thanks ! there is no input (form) created I just got "-------------------------------
----------------------------------------" above time selector. and the dash-board itself say " waiting for input"

0 Karma

gyslainlatsa
Motivator

sorry I had made a mistake in the code but I corrected.

copy the new code and try again

0 Karma

raindrop18
Communicator

thanks, all good now!!!

0 Karma

gyslainlatsa
Motivator

happy for you,

don't forget to accepted and vote my answers

0 Karma

gyslainlatsa
Motivator

hi,
Yes it's possible,
displays your code I try to help you

0 Karma

raindrop18
Communicator

thanks much! I have updated the question. so the dashboard has 10 panel but I have the code from the 2 panels.

0 Karma

gyslainlatsa
Motivator

you want to add a box to allow the user to enter the name of the host it wants and select the timerange he wants?

0 Karma

raindrop18
Communicator

I have already time-range selector, I want the box enter the host name.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...