Splunk Search

Is it possible to have a dashboard that is populated with scheduled searches to also have the ability to specify a time range and run manual searches?

jeffreyjewitt
Explorer

Hi:
This is an odd question, but it pops up every so often.
Is it possible to have a dashboard that is populated with scheduled searches (for instant loading once the searches are run), however it also has the ability to specify a time/date range, and to manually run the dashboard searches with that time/date range.
The way that I can see it at the moment, is to have the dashboard with saved, scheduled searches, and a separate dashboard that has the time/date range option.

Is that I want to do even possible with a single dashboard?
Thank you for any information you could provide.
-Jeff

0 Karma
1 Solution

ngatchasandra
Builder

Hi jeffreyjewitt,
This is possible with a single dashboard! Edit your panels of your dashboard and add an Time input type with option Add input like follow example: This is a xml code of dashboard form where Time range is configured, with this, you can select a time to run you Scheduled searh.

<form>

 <label>Form with mutliple time pickers</label>
 <description></description>
 <fieldset submitButton="false">
   <input type="dropdown" token="source_tok" searchWhenChanged="true">
     <label>Select a source type</label>
     <choice value="*">All</choice>
     <search>
       <query>index=_internal | stats count by sourcetype</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <fieldForLabel>sourcetype</fieldForLabel>
     <fieldForValue>sourcetype</fieldForValue>
     <prefix>sourcetype="</prefix>
     <suffix>"</suffix>
     <default>splunkd</default>
   </input>

   <!-- Do not define token for global timer -->
   <input type="time" searchWhenChanged="true">
     <label>Select time range</label>
     <default>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </default>
   </input>
 </fieldset>
 <row>
   <panel>
     <title>Global timer</title>
     <chart>
       <search>
         <query>index=_internal $source_tok$ | timechart count</query>
       </search>
     </chart>
   </panel>

   <panel>
     <title>Local timer</title>
     <!-- Define token for local timer -->    
     <input type="time" searchWhenChanged="true" token="local_time_input_tok">
       <label>Select time range</label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <chart>
       <search>
         <query>
           index=_internal $source_tok$ | timechart count
         </query>

         <!-- Use modifiers to token for a timer -->
       </search>
     <earliest>$local_time_input_tok.earliest$</earliest>
         <latest>$local_time_input_tok.latest$</latest>
     </chart>
   </panel>
 </row>
</form>

Your dashboard will display like follow:

  <form>

     <label>Form with mutliple time pickers</label>
     <description></description>
     <fieldset submitButton="false">


       <input type="time" searchWhenChanged="true" token="local_time_input_tok">
           <label>Select time range</label>
           <default>
             <earliest>-24h@h</earliest>
             <latest>now</latest>
           </default>
         </input>
     </fieldset>
     <row>
       <panel>
         <title>Global timer</title>
         <chart>
           <search>
             <query>|savedsearch ''name of your scheduled''search </query>
             <earliest>$local_time_input_tok.earliest$</earliest>
             <latest>$local_time_input_tok.latest$</latest>
           </search>
         </chart>
       </panel>


     </row>
    </form>

Please, excuse me because i modified the xml code.

View solution in original post

ngatchasandra
Builder

Hi jeffreyjewitt,
This is possible with a single dashboard! Edit your panels of your dashboard and add an Time input type with option Add input like follow example: This is a xml code of dashboard form where Time range is configured, with this, you can select a time to run you Scheduled searh.

<form>

 <label>Form with mutliple time pickers</label>
 <description></description>
 <fieldset submitButton="false">
   <input type="dropdown" token="source_tok" searchWhenChanged="true">
     <label>Select a source type</label>
     <choice value="*">All</choice>
     <search>
       <query>index=_internal | stats count by sourcetype</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <fieldForLabel>sourcetype</fieldForLabel>
     <fieldForValue>sourcetype</fieldForValue>
     <prefix>sourcetype="</prefix>
     <suffix>"</suffix>
     <default>splunkd</default>
   </input>

   <!-- Do not define token for global timer -->
   <input type="time" searchWhenChanged="true">
     <label>Select time range</label>
     <default>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </default>
   </input>
 </fieldset>
 <row>
   <panel>
     <title>Global timer</title>
     <chart>
       <search>
         <query>index=_internal $source_tok$ | timechart count</query>
       </search>
     </chart>
   </panel>

   <panel>
     <title>Local timer</title>
     <!-- Define token for local timer -->    
     <input type="time" searchWhenChanged="true" token="local_time_input_tok">
       <label>Select time range</label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <chart>
       <search>
         <query>
           index=_internal $source_tok$ | timechart count
         </query>

         <!-- Use modifiers to token for a timer -->
       </search>
     <earliest>$local_time_input_tok.earliest$</earliest>
         <latest>$local_time_input_tok.latest$</latest>
     </chart>
   </panel>
 </row>
</form>

Your dashboard will display like follow:

  <form>

     <label>Form with mutliple time pickers</label>
     <description></description>
     <fieldset submitButton="false">


       <input type="time" searchWhenChanged="true" token="local_time_input_tok">
           <label>Select time range</label>
           <default>
             <earliest>-24h@h</earliest>
             <latest>now</latest>
           </default>
         </input>
     </fieldset>
     <row>
       <panel>
         <title>Global timer</title>
         <chart>
           <search>
             <query>|savedsearch ''name of your scheduled''search </query>
             <earliest>$local_time_input_tok.earliest$</earliest>
             <latest>$local_time_input_tok.latest$</latest>
           </search>
         </chart>
       </panel>


     </row>
    </form>

Please, excuse me because i modified the xml code.

jeffreyjewitt
Explorer

A little bit different that our situation, but it is interesting to know.
We currently have our dashboards setup with searchname so that when they run according to the schedule, it displays the results almost immediately when viewing the dashboard, using the cached results. Using |savedsearch ''name of your scheduled''search seems to always run an on demand run of the search, skipping the cached results. I don't think that it is possible to use cached results with and a dynamic time picker, for on demand searches on the same dashboard.
Thank you for your answer, I learned a bit from messing around with it.
-Jeff

0 Karma

ngatchasandra
Builder

Please, if this answer help you, can you vote? I going to try to understand very good that you want!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...