We have just started using splunk with real data in my organisation, and to a start we're only using it to show and compare events from different types of logs
I'm looking for a way to have some form boxes in a dashboard, so my users just can input a value, and then this value is added to a already defined searchstring in the normal search window
Like i have a predefined search like sourcetype="platform_jboss_log" index="index1" "string"
So when inputting a value it would switch to a search window with the value defined and search is started
I have browsed around here, and in the 6.x dashboard examples not finding anything really useful. - Is this so much out of splunk usecase?
I just wan't to give my users a easy way to search for the stuff they need without they need to prefix their searches manually with sourcetype etc.
You can find basic form examples here.
The key words you are looking for are:
You need to define a text input (lets call the token "str"). You then need to incorporate the token "str" into your search string. Your searchTemplate will look something like this:
sourcetype="platform_jboss_log" index="index1" "$str$"
Note that I have put $ around the token, this is what allows Splunk to understand that it's a variable rather than a string.
Hope this helps
It seems like your issue is you want the raw output, rather than the table- or chart-style output from @aholzer's great suggestions. If so, use
<event> instead of
<table>. Assuming you have a dropdown that produces a
srcType value and a text input for your
str value, you should be able to do something like this:
<searchString>sourcetype="$srcType$" index="index1" "$str$"</searchString>
Check out http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#event for your other options for this tag.
If you look at the link I provided in my answer you'll notice that the second example has a dropdown of sourcetypes. I feel like that's exactly what you are looking for.
Give them the dropdown of sourcetypes as the second example in the link (I suggest you do it dynamically) and a text input as the first example in the link show.
Hope this helps
I have a long list of sourcetypes which different logfiles in our systems has defined.
(40-50 servers in a cluster with the same kind of logfiles, splunk is used as a centralized way to search in them)
Right now my users has to define sourcetype="blabla" in their search query for everytime they want to search in the a specific logfile.
I just want to give my users an easy entrypoint for searching in the different types of logs we have.
Not sure I'm understanding then. You could always set up a Splunk role, and as part of the role define a filter as [sourcetype="platform_jboss_log" index="index1"]. By doing this, it will apply that filter to every search the users with that role have. You'd simply have to set all users to have that new role.
Hope this helps
Thanks for the answer
It's a bit like what i'm seeking, or not
I want it to make the search in the normal search app when pressing submit, so you can use the facilities that has. - What i see from the form examples it looks a bit.. restricted