Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to have a dashboard that is populated with scheduled searches to also have the ability to specify a time range and run manual searches?

jeffreyjewitt
Explorer
‎04-02-2015 10:55 AM

Hi:
This is an odd question, but it pops up every so often.
Is it possible to have a dashboard that is populated with scheduled searches (for instant loading once the searches are run), however it also has the ability to specify a time/date range, and to manually run the dashboard searches with that time/date range.
The way that I can see it at the moment, is to have the dashboard with saved, scheduled searches, and a separate dashboard that has the time/date range option.

Is that I want to do even possible with a single dashboard?
Thank you for any information you could provide.
-Jeff

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-02-2015 11:48 AM

Hi jeffreyjewitt,
This is possible with a single dashboard! Edit your panels of your dashboard and add an Time input type with option Add input like follow example: This is a xml code of dashboard form where Time range is configured, with this, you can select a time to run you Scheduled searh.

<form>

 <label>Form with mutliple time pickers</label>
 <description></description>
 <fieldset submitButton="false">
   <input type="dropdown" token="source_tok" searchWhenChanged="true">
     <label>Select a source type</label>
     <choice value="*">All</choice>
     <search>
       <query>index=_internal | stats count by sourcetype</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <fieldForLabel>sourcetype</fieldForLabel>
     <fieldForValue>sourcetype</fieldForValue>
     <prefix>sourcetype="</prefix>
     <suffix>"</suffix>
     <default>splunkd</default>
   </input>

   <!-- Do not define token for global timer -->
   <input type="time" searchWhenChanged="true">
     <label>Select time range</label>
     <default>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </default>
   </input>
 </fieldset>
 <row>
   <panel>
     <title>Global timer</title>
     <chart>
       <search>
         <query>index=_internal $source_tok$ | timechart count</query>
       </search>
     </chart>
   </panel>

   <panel>
     <title>Local timer</title>
     <!-- Define token for local timer -->    
     <input type="time" searchWhenChanged="true" token="local_time_input_tok">
       <label>Select time range</label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <chart>
       <search>
         <query>
           index=_internal $source_tok$ | timechart count
         </query>

         <!-- Use modifiers to token for a timer -->
       </search>
     <earliest>$local_time_input_tok.earliest$</earliest>
         <latest>$local_time_input_tok.latest$</latest>
     </chart>
   </panel>
 </row>
</form>

Your dashboard will display like follow:

  <form>

     <label>Form with mutliple time pickers</label>
     <description></description>
     <fieldset submitButton="false">


       <input type="time" searchWhenChanged="true" token="local_time_input_tok">
           <label>Select time range</label>
           <default>
             <earliest>-24h@h</earliest>
             <latest>now</latest>
           </default>
         </input>
     </fieldset>
     <row>
       <panel>
         <title>Global timer</title>
         <chart>
           <search>
             <query>|savedsearch ''name of your scheduled''search </query>
             <earliest>$local_time_input_tok.earliest$</earliest>
             <latest>$local_time_input_tok.latest$</latest>
           </search>
         </chart>
       </panel>


     </row>
    </form>

Please, excuse me because i modified the xml code.

View solution in original post

Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-02-2015 11:48 AM

Hi jeffreyjewitt,
This is possible with a single dashboard! Edit your panels of your dashboard and add an Time input type with option Add input like follow example: This is a xml code of dashboard form where Time range is configured, with this, you can select a time to run you Scheduled searh.

<form>

 <label>Form with mutliple time pickers</label>
 <description></description>
 <fieldset submitButton="false">
   <input type="dropdown" token="source_tok" searchWhenChanged="true">
     <label>Select a source type</label>
     <choice value="*">All</choice>
     <search>
       <query>index=_internal | stats count by sourcetype</query>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </search>
     <fieldForLabel>sourcetype</fieldForLabel>
     <fieldForValue>sourcetype</fieldForValue>
     <prefix>sourcetype="</prefix>
     <suffix>"</suffix>
     <default>splunkd</default>
   </input>

   <!-- Do not define token for global timer -->
   <input type="time" searchWhenChanged="true">
     <label>Select time range</label>
     <default>
       <earliest>-7d@h</earliest>
       <latest>now</latest>
     </default>
   </input>
 </fieldset>
 <row>
   <panel>
     <title>Global timer</title>
     <chart>
       <search>
         <query>index=_internal $source_tok$ | timechart count</query>
       </search>
     </chart>
   </panel>

   <panel>
     <title>Local timer</title>
     <!-- Define token for local timer -->    
     <input type="time" searchWhenChanged="true" token="local_time_input_tok">
       <label>Select time range</label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <chart>
       <search>
         <query>
           index=_internal $source_tok$ | timechart count
         </query>

         <!-- Use modifiers to token for a timer -->
       </search>
     <earliest>$local_time_input_tok.earliest$</earliest>
         <latest>$local_time_input_tok.latest$</latest>
     </chart>
   </panel>
 </row>
</form>

Your dashboard will display like follow:

  <form>

     <label>Form with mutliple time pickers</label>
     <description></description>
     <fieldset submitButton="false">


       <input type="time" searchWhenChanged="true" token="local_time_input_tok">
           <label>Select time range</label>
           <default>
             <earliest>-24h@h</earliest>
             <latest>now</latest>
           </default>
         </input>
     </fieldset>
     <row>
       <panel>
         <title>Global timer</title>
         <chart>
           <search>
             <query>|savedsearch ''name of your scheduled''search </query>
             <earliest>$local_time_input_tok.earliest$</earliest>
             <latest>$local_time_input_tok.latest$</latest>
           </search>
         </chart>
       </panel>


     </row>
    </form>

Please, excuse me because i modified the xml code.

Reply
Solved! Jump to solution

jeffreyjewitt
Explorer
‎04-07-2015 12:03 PM

A little bit different that our situation, but it is interesting to know.
We currently have our dashboards setup with searchname so that when they run according to the schedule, it displays the results almost immediately when viewing the dashboard, using the cached results. Using |savedsearch ''name of your scheduled''search seems to always run an on demand run of the search, skipping the cached results. I don't think that it is possible to use cached results with and a dynamic time picker, for on demand searches on the same dashboard.
Thank you for your answer, I learned a bit from messing around with it.
-Jeff

0 Karma
Reply
Solved! Jump to solution

ngatchasandra
Builder
‎04-07-2015 11:54 PM

Please, if this answer help you, can you vote? I going to try to understand very good that you want!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...