Splunk Search

Dashboard templates

ysouchon
Explorer

Hello,

I know quite good Splunk, at least the basic concepts. I have recently created a dashboard with few panels based on summary index searches. This dashboard helps me to get charts about a bunch of servers.

Because I have different group of servers around the world, I would like to generate the same kind of dashboards, but based on different servers.

It takes time to create all searches, and then the related dashboard. What is the best way to do the same for other group of servers ? Do I need to create everything manually ? Or does Splunk have another way based on templates to do the same ?

I wish I can create a dashboard template and call it with several parameters (like the name of the other group of servers for example) to generate my dashboard.

Thanks in advance for helping me to find the right way.

Yann

0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>

View solution in original post

mw
Splunk Employee
Splunk Employee

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...