Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create Dynamic URL for Splunk Search Dashboard URL

mayankaisera
Engager
‎06-17-2020 12:44 PM

I am working on creating a simple UI environment and want to include links to related Splunk search result web dashboard to make a more coherent experience for the user.

For example, say I have an incident named "Hello World"  in my simple UI and if the user clicks on Splunk from this simple UI, the user is navigated to Splunk Web Dashboard with the logs filtered by the keyword "Hello World".

I would very grateful if you could please share your thoughts on this and let me know if you have any questions.

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-17-2020 03:29 PM

If you have a Splunk dashboard with an input text box with a token name 'search_data', then you can link to this dashboard with

https://yoursplunkhost/en-GB/app/search/web_dashboard?form.search_data=Hello%20World

where in the above URL, 'search' is the name of the Splunk app, web_dashboard is the name of your dashboard and all tokens you are passing in to that dashboard are prefixed with 'form.'

Your search in the dashboard would already need to have that search filter enabled as part of the search, so it would look something like

 

your search $search_data|s$

 

so here your input search filter token is added as part of the search query - note the |s at the end of the name will cause it to double quote the value of the search string, effectively the same as doing

"$search_data$"

Hope this helps.

 

Reply

mayankaisera
Engager
‎06-17-2020 04:29 PM

Thank you so much, this helps a lot. If possible, can you please also share two more URL sample for:

  • One where we are trying to filter the data by keyword and timestamp (therefore from date1 to date2)
  • One where we are trying to sort the results by the "time" column.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-17-2020 06:15 PM

The same principle applies for all 'tokens' you want to pass in to the Splunk dashboard, they are just url parameters prefixed with 'form.'.  For example this url

https://yoursplunkhost/en-GB/app/app_name/dashboard?form.time_range.earliest=-30d%40d&form.time_rang...

will set the time picker token 'time_range' for

earliest=-30d@d
latest=now

and it will set the token named 'first_token' and 'second_token' as above.

Sorting is just managed in the search. By default Splunk will show you indexed events in reverse chronological order, so depending on what visualisation you are doing, you may not need to do any sorting, but Splunk sort is in a simple form

| sort fieldname

but check the docs for full details

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...