Splunk Search
Highlighted

Time Picker, Search Picker for a Line Chart: Help with Advanced XML

SplunkTrust
SplunkTrust

I have been digging into the advanced xml stuff lately, and have come across a hurdle with simply figuring out the correct modules I should be using for the panel I want to create.

The panel would have a time picker, and a list selector that would have two keys. Each keys value would be a whole search string. After the time and search was picked it would create a line chart.

I got the timerangepicker

<module name="TimeRangePicker" layoutPanel="panel_row2_col1" group="Line Graph for Storage">
<param name="searchWhenChanged">true</param>
<param name="default">last_24_hours</param>
<param name="label">Time Range</param>
</module>

My question then is how I go from here by implementing the selector module with the two keys mapping to the two searches, and then the best module to generate a line graph.

Tags (2)
Highlighted

Re: Time Picker, Search Picker for a Line Chart: Help with Advanced XML

Splunk Employee
Splunk Employee

You might consider prototyping this with Simple XML, then viewing the resulting Advanced XML by adding ?showsource=true to the URL querystring parameters.

Highlighted

Re: Time Picker, Search Picker for a Line Chart: Help with Advanced XML

SplunkTrust
SplunkTrust

You probably want to use a StaticSelect module with a ConvertToIntention under it, with the ConvertToIntention using a stringreplace intention.

What I just said will make no sense to you until you read through either the relevant docs, or better yet download the app from splunkbase called "UI Examples for 4.1" and read through all the examples in there. Check out the example views, clone them and play around with them yourself. The specific example most relevant to this use case is the 'stringreplace' example under 'Advanced XML > Lister examples'.

To explain a little more here though, the StaticSelect module is basically a pulldown. The option values of this pulldown are usually single search terms but there's no reason they couldnt be entire search strings, at least assuming you're using a stringreplace intention.

2) Another option that might be more appropriate in this situation is to use a switcher.
I dont want to go into more detail cause I'll just be duplicating the stuff that's written in that app.

BEWARE: there is an app called 'UI Examples' on splunkbase. Do not download this one because it is old. Download the 'UI Examples for 4.1' cause it has a LOT more detail.