Splunk Search

Splunk search interface for non-technical users?

yoyu777
Explorer

Hi,

This question may be a bit unusual. While I know SPL is already kind of "simple" enough to get a hang of for most technical users, but we are challenged to find a software/service that allows even the least technical users can comfortably create some filters and fire some searches, ideally it should also be able to integrated with Splunk.

"Pivot" does not fit the purpose as it is mainly a visualisation tool rather than search tool.

Has anyone come across things like this before?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi yoyu777,
we gave to users that don't know Splunk a simple interface for developers that need to see debugging logs during development.
We created in a lookup a search perimeter (host, source, and other fields) and we created some filters in the dashboard using the lookup fields so the user can filter logs.

In other words, users choose search parameters and using the perimeter lookup we create a search containing the main information: index, sourcetype, source, host.
In addition user has a free text input to add words to search.

As results, we display timestamp and a part of raw (first 200 chars) of a list of events; if the interesting event is larger that 200 chars, clicking on event, it's possible to display the full event in another panel of the dashboard.

Bye.
Giuseppe

yoyu777
Explorer

Thanks Giuseppe.

So just to validate my understanding, you created your own app, and did some customisation so non-technical users can create filters by clicking of mouse? Did you just the out-of-the-box interface, or did you use HTML and Javascript scripts, or SplunkJS?

0 Karma

gcusello
SplunkTrust
SplunkTrust

No we have a lookup where there are all the information about the search perimeter:

  • perimeter
  • name
  • environment (Production or Qualification)
  • hostname
  • IP
  • Log Type (Application or System)
  • source
  • List item

Users in a dashboard can choose all the above parameters, in this way we can identify:

  • index
  • sourcetype
  • source
  • host

and show to the user all the events that match filters.
The only additional choice is a full text search input.

We did all with standard Splunk interface, without additional components.

The main job is to design the perimeter, but we usually already have it because target are development logs, so we can easily delimiter our perimeter.

Bye.
Giuseppe

0 Karma

worshamn
Contributor

What about trying the tables option from the Datasets Add-on (https://splunkbase.splunk.com/app/3245/)? This lets users work with an Excel-like interface and there is an option on the side to see the SPL it creates. Once you install the app and go to the "Datasets" tab, click on "Create New Table Dataset" to be walked through creating a table to work with.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...